Account lockout when password expires

[canadajoe]

We have a Windows 2000 SP3 and a Windows 2000 SP4 domains that we manage for a client. In these domains there are resources that don't log in for long periods of time. In the SP4 domain if a user doesn't log in and his password has expired he is prompted to set a new password and he can access the domain.
In the SP3 domain when the password expires he is not prompted to set a new password, his account is locked out.
Is this because one is SP3 and one is SP4 and is this the way it is supposed to work?

 

[WhoKilledKenny]

Have not herd of a service pack causing this issue. If the two domains are in a Parent child trust relationship, I would recommend that all DC's be at the same SP level. If they are not trusted domains, then I would check the group policies to see if it has been configured not to prompt the user = 0
Edit the GPOs in the domain that is having this issue. The path should be the same for all enabled group policies.

Computer Configuration -> Windows Settings -> Local Policies -> Security Options -> Interactive logon: Promt user to change password before expiration. If it is set to 0 (Zero) days and the policy is defined, there is where the issue is.

 

[canadajoe]

These are 2 similar but separate domains and there is no trust between them. I checked the domain that is prompting to change the password after it has expired without locking the account and the security setting to prompt the user to chnage the password before it expires is not configured. I checked the domain that is not giving the option to reset the password after it has expired and is locking the account and that security setting is not configured in that domain either.

 

[WhoKilledKenny]

Did you check all of the GPO's?
From my understanding, if the policy is not defined the default is 14 days (I could be wrong...). The policy "Interactive logon: Promt user to change password before expiration" is a computer policy that can be defined in any GPO and applied almost anywhere in the AD. For example let say a few levels in my AD structure I have an OU called "Sales." There is an enables GPO linked to Sales that has the policy defined as 0 days. Every Computer that is contained in that GPO will not prompt the user to change password. Computers not in that OU and not affected by the Sales policy will still prompt.

As far as I know, the only way a user will not be prompted, warning them that the password is about to expire, is by enabling this computer policy and setting it to 0.

 

[canadajoe]

Thanks for the info. I just checked the Default Domain Policy. I'll check the OU where the user is that is complaining.

 

[Davetoo]

Also...if you can, confirm for yourself that what the user is complaining about is actually occuring.

Too many times I've acted on a complaint only to find out I wasn't being told the actual facts of what was occuring.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[WhoKilledKenny]

I second Davetoo Too....

 

[canadajoe]

The users are located in a default container Users, not in an OU. When I look at the properties of the container I don't see a Policy tab so I assume they are getting the default policy for the domain which has the prompt not configured