No announcement yet.

DumpSec Password Age

  • Filter
  • Time
  • Show
Clear All
new posts

  • DumpSec Password Age

    Had an interesting situation a few of my partners here are working on. They edit and change the group policy as normal and everything seems to populate and go correctly; however, one setting doesn't. They have changed the password age to 30 days in the GPO, but when you pull a dumpsec report it shows the password age as 60. Now I believe that the 60 is actually in effect as other reports show passwords expriring at 60 days.

    Question is. Where does Dumpsec pull that 60 day information from?

  • #2
    Re: DumpSec Password Age

    A Microsoft function, NetUserModalsGet, is used to get the policy information. Hyena also uses this function. You need to verify your other policies, as Microsoft has made a mess of overlapping policies: there is one for the domain and another one for a domain controller. Its unclear whith policy this function is reporting to you, if any.
    Kevin Stanush
    SystemTools Software Inc.


    • #3
      Re: DumpSec Password Age

      This might not be your case, we had this happen when changing the number of incorrect logons that would lock your account. It kept getting over written to the old value. Though we didn't know it at the time.
      Found a DC that was not replicating correctly. It would over write what we were trying. So you may want to ensure your DC's are replicating correctly.


      • #4
        Re: DumpSec Password Age

        Thanks all for the input, passing it on as well. I don't normally work this side of the house, they are just stumped so trying to assist them. Its odd in that the 60 days shows that its replicated out to all the DC's via dumpsec; however, when you look in the group policy editor for any of them it appears as 30.

        I firmly believe Dumpsec report is correct as when you look at the times for password resets for users they are scheduled for 60 days.

        I mentioned to our admin to try and change it from 30 to say 45 and just see how/if it replicates.

        Thanks again.