Access Manager will use and enforce the Default Password Policy of an Active Directory by default. If you find that Access Manager is not displaying the correct policy, and Fine Grain Password Policies or Policy Overrides are not in use, the following instructions found by one of our customer may help you. To begin use the Microsoft 'ldp' tool on the root domain server to display the output of Password Policy attributes:
1. Connection -> Connect
2. View -> Tree -> Click drop down for Base DN and choose the domain
3. Select the root of the tree that has now appeared
4. Connection -> Bind
5. Choose appropriate authentication
6. Browse -> Search
7. Choose Base DN of the domain again
8. Make sure that "Filter" is (objectclass=*) the Scope is "Base" and the Attribute is "*"
9. Run
The attributes now list in the right hand window.
Our customer was specifically having an issue with the Max Password Age attribute value:
We ran the command below and noticed that MaxPasswordAge was set to 90 days, even though our Default Domain Policy stated 60. To test, we initially ran:
Set-ADDefaultDomainPasswordPolicy -identity newark.local -MaxPasswordAge "61.00:00:00"
This immediately updated our Default Domain Policy from 90 to 61 days. We then changed our DDP GPO from 61 to 60 and ran the Get command again. It did not update it.
We forced the GPO from 61 to 60 by running the Set command which "fixed" our issue.
PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled : True
DistinguishedName : DC=Newark,DC=Local
LockoutDuration : 01:00:00
LockoutObservationWindow : 00:59:00
LockoutThreshold : 0
MaxPasswordAge : 60.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
objectClass : {domainDNS}
objectGuid : 7cfc463a-e397-43b2-9c99-a6c6f614235b
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
We then synced Access Manager and it now shows 60 days.
