I have a user who users her laptop and home, and it's forcing her to
change passwords every 90 days, even though her account is set so the
password should never expire. (Of course she's using local accounts and
logging into the local machine.) When I ran a Windows domain, we had
such a domain policy, but certain accounts were set so passwords never
expired. Anyway, I looked at the laptop today, figuring I'd just use
the Group Policy Editor to change to password expiration and lockout
policies. Unfortunately these settings are greyed out for all three
admin accounts on the machine. The domain that the laptop was
originally used on no longer exists.

I have the exact same laptop without this problem (originally used on
the same domain), and I was hoping I could just replace the entire
policy. But it's been a couple years since I did much with group
policy, so I'm stumped on this one. The affected laptop has not been
used or updated in a year, so it is maybe running WinXP Pro SP1, though
it could have no service pack at all.

I'm hoping I can fix this without having to reinstall the entire
machine. Can anyone point advise me on this one?

Thanks and Regards,

Margaret

OK, I dug deep in my memory and remembered and the Security Config &
Analysis snap-in as well as the security templates. I created a new
database, loaded the compatible workstation policy and attempted to
configure the machine. The configuration seems to do its thing, but
when I analyze the computer config, the local policy is unchanged. Is
there any way I can get this computer back to its pre-domain security
settings?

Thanks and Regards,

Margaret

Margaret Wilson wrote:
> I have a user who users her laptop and home, and it's forcing her to
> change passwords every 90 days, even though her account is set so the
> password should never expire. (Of course she's using local accounts and
> logging into the local machine.) When I ran a Windows domain, we had
> such a domain policy, but certain accounts were set so passwords never
> expired. Anyway, I looked at the laptop today, figuring I'd just use
> the Group Policy Editor to change to password expiration and lockout
> policies. Unfortunately these settings are greyed out for all three
> admin accounts on the machine. The domain that the laptop was
> originally used on no longer exists.
>
> I have the exact same laptop without this problem (originally used on
> the same domain), and I was hoping I could just replace the entire
> policy. But it's been a couple years since I did much with group
> policy, so I'm stumped on this one. The affected laptop has not been
> used or updated in a year, so it is maybe running WinXP Pro SP1, though
> it could have no service pack at all.
>
> I'm hoping I can fix this without having to reinstall the entire
> machine. Can anyone point advise me on this one?
>
> Thanks and Regards,
>
> Margaret

It sounds like the computer was never removed from the domain. Logon as an
administrator and go to Control Panel/system/computer name - change and
change the computer to workgroup giving it whatever name you want to use.
Reboot the computer and you should be able to change password policy in
Local Security Policy. I have never seen or heard of a user having to change
their password if their user account is configured for password never
expires. You can use the command net user username to see properties of a
user account. --- Steve


"Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@comcast.com. ..
>I have a user who users her laptop and home, and it's forcing her to change
>passwords every 90 days, even though her account is set so the password
>should never expire. (Of course she's using local accounts and logging
>into the local machine.) When I ran a Windows domain, we had such a domain
>policy, but certain accounts were set so passwords never expired. Anyway,
>I looked at the laptop today, figuring I'd just use the Group Policy Editor
>to change to password expiration and lockout policies. Unfortunately these
>settings are greyed out for all three admin accounts on the machine. The
>domain that the laptop was originally used on no longer exists.
>
> I have the exact same laptop without this problem (originally used on the
> same domain), and I was hoping I could just replace the entire policy.
> But it's been a couple years since I did much with group policy, so I'm
> stumped on this one. The affected laptop has not been used or updated in
> a year, so it is maybe running WinXP Pro SP1, though it could have no
> service pack at all.
>
> I'm hoping I can fix this without having to reinstall the entire machine.
> Can anyone point advise me on this one?
>
> Thanks and Regards,
>
> Margaret

Thanks, I was just wondering if that might work. I've run several
different domains over the years, NT 351 - Win2003, and I'd never heard
of not being able to override password expiration in the user account
settings, either. But this is a fairly computer savvy user, so I can't
imagine she's telling tall tales. ;-)

Thanks!

Margaret

Steven L Umbach wrote:
> It sounds like the computer was never removed from the domain. Logon as an
> administrator and go to Control Panel/system/computer name - change and
> change the computer to workgroup giving it whatever name you want to use.
> Reboot the computer and you should be able to change password policy in
> Local Security Policy. I have never seen or heard of a user having to change
> their password if their user account is configured for password never
> expires. You can use the command net user username to see properties of a
> user account. --- Steve
>
>
> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
> news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@comcast.com. ..
>> I have a user who users her laptop and home, and it's forcing her to change
>> passwords every 90 days, even though her account is set so the password
>> should never expire. (Of course she's using local accounts and logging
>> into the local machine.) When I ran a Windows domain, we had such a domain
>> policy, but certain accounts were set so passwords never expired. Anyway,
>> I looked at the laptop today, figuring I'd just use the Group Policy Editor
>> to change to password expiration and lockout policies. Unfortunately these
>> settings are greyed out for all three admin accounts on the machine. The
>> domain that the laptop was originally used on no longer exists.
>>
>> I have the exact same laptop without this problem (originally used on the
>> same domain), and I was hoping I could just replace the entire policy.
>> But it's been a couple years since I did much with group policy, so I'm
>> stumped on this one. The affected laptop has not been used or updated in
>> a year, so it is maybe running WinXP Pro SP1, though it could have no
>> service pack at all.
>>
>> I'm hoping I can fix this without having to reinstall the entire machine.
>> Can anyone point advise me on this one?
>>
>> Thanks and Regards,
>>
>> Margaret
>
>

Well, so much for that idea. I removed the computer from the domain,
and put it in my home workgroup. Unfortunately I still can't edit the
local security policy settings for password and lockout. Further, I've
tried importing settings from the compatible workstation, and that
doesn't work, either. Any other ideas?

Thanks and Regards,

Margaret

Margaret Wilson wrote:
> Thanks, I was just wondering if that might work. I've run several
> different domains over the years, NT 351 - Win2003, and I'd never heard
> of not being able to override password expiration in the user account
> settings, either. But this is a fairly computer savvy user, so I can't
> imagine she's telling tall tales. ;-)
>
> Thanks!
>
> Margaret
>
> Steven L Umbach wrote:
>> It sounds like the computer was never removed from the domain. Logon
>> as an administrator and go to Control Panel/system/computer name -
>> change and change the computer to workgroup giving it whatever name
>> you want to use. Reboot the computer and you should be able to change
>> password policy in Local Security Policy. I have never seen or heard
>> of a user having to change their password if their user account is
>> configured for password never expires. You can use the command net
>> user username to see properties of a user account. --- Steve
>>
>>
>> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in
>> message news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@comcast.com. ..
>>> I have a user who users her laptop and home, and it's forcing her to
>>> change passwords every 90 days, even though her account is set so the
>>> password should never expire. (Of course she's using local accounts
>>> and logging into the local machine.) When I ran a Windows domain, we
>>> had such a domain policy, but certain accounts were set so passwords
>>> never expired. Anyway, I looked at the laptop today, figuring I'd
>>> just use the Group Policy Editor to change to password expiration and
>>> lockout policies. Unfortunately these settings are greyed out for
>>> all three admin accounts on the machine. The domain that the laptop
>>> was originally used on no longer exists.
>>>
>>> I have the exact same laptop without this problem (originally used on
>>> the same domain), and I was hoping I could just replace the entire
>>> policy. But it's been a couple years since I did much with group
>>> policy, so I'm stumped on this one. The affected laptop has not been
>>> used or updated in a year, so it is maybe running WinXP Pro SP1,
>>> though it could have no service pack at all.
>>>
>>> I'm hoping I can fix this without having to reinstall the entire
>>> machine. Can anyone point advise me on this one?
>>>
>>> Thanks and Regards,
>>>
>>> Margaret
>>
>>

What does the output of net user and whoami /all for her user account look
like. I still am very skeptical of an account that is set to password never
expires being expired or is she just getting the message that it will and
not actually being forced to changed her password at logon that says - your
password has expired and you must change it. Another thing to try is to run
the command net accounts /maxpwage:unlimited . If that does not work see the
KB article below on how to set security settings back to default defined
levels and you might want to use /areas securitypolicy at the end of the
command to see if that works. --- Steve

http://support.microsoft.com/default...b;EN-US;313222

"Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
news:wIudnZc7Uc1hAVDenZ2dnUVZ_tudnZ2d@comcast.com. ..
> Well, so much for that idea. I removed the computer from the domain, and
> put it in my home workgroup. Unfortunately I still can't edit the local
> security policy settings for password and lockout. Further, I've tried
> importing settings from the compatible workstation, and that doesn't work,
> either. Any other ideas?
>
> Thanks and Regards,
>
> Margaret
>
> Margaret Wilson wrote:
>> Thanks, I was just wondering if that might work. I've run several
>> different domains over the years, NT 351 - Win2003, and I'd never heard
>> of not being able to override password expiration in the user account
>> settings, either. But this is a fairly computer savvy user, so I can't
>> imagine she's telling tall tales. ;-)
>>
>> Thanks!
>>
>> Margaret
>>
>> Steven L Umbach wrote:
>>> It sounds like the computer was never removed from the domain. Logon as
>>> an administrator and go to Control Panel/system/computer name - change
>>> and change the computer to workgroup giving it whatever name you want to
>>> use. Reboot the computer and you should be able to change password
>>> policy in Local Security Policy. I have never seen or heard of a user
>>> having to change their password if their user account is configured for
>>> password never expires. You can use the command net user username to see
>>> properties of a user account. --- Steve
>>>
>>>
>>> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
>>> news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@comcast.com. ..
>>>> I have a user who users her laptop and home, and it's forcing her to
>>>> change passwords every 90 days, even though her account is set so the
>>>> password should never expire. (Of course she's using local accounts
>>>> and logging into the local machine.) When I ran a Windows domain, we
>>>> had such a domain policy, but certain accounts were set so passwords
>>>> never expired. Anyway, I looked at the laptop today, figuring I'd just
>>>> use the Group Policy Editor to change to password expiration and
>>>> lockout policies. Unfortunately these settings are greyed out for all
>>>> three admin accounts on the machine. The domain that the laptop was
>>>> originally used on no longer exists.
>>>>
>>>> I have the exact same laptop without this problem (originally used on
>>>> the same domain), and I was hoping I could just replace the entire
>>>> policy. But it's been a couple years since I did much with group
>>>> policy, so I'm stumped on this one. The affected laptop has not been
>>>> used or updated in a year, so it is maybe running WinXP Pro SP1, though
>>>> it could have no service pack at all.
>>>>
>>>> I'm hoping I can fix this without having to reinstall the entire
>>>> machine. Can anyone point advise me on this one?
>>>>
>>>> Thanks and Regards,
>>>>
>>>> Margaret
>>>
>>>

The instructions in the KB article worked, with errors. But ... it
seems to have set the security settings back to what they should be.
Still, the settings for the password and account lockout policies are
greyed out, so they still cannot be changed. I'd like to know what
*that's* all about. Stupidly, I didn't run a the "net user" command on
her account till *after* I'd already done the secedit thing. But now it
says that the password and account never expire. So that should be good
enough that I don't have to reinstall the machine from scratch.

Any idea why those security settings are greyed out? (I'm logged in as
an admin, and they're greyed out for me, too.)

Thanks so much for your help, Steve!

Regards,

Margaret

Steven L Umbach wrote:
> What does the output of net user and whoami /all for her user account look
> like. I still am very skeptical of an account that is set to password never
> expires being expired or is she just getting the message that it will and
> not actually being forced to changed her password at logon that says - your
> password has expired and you must change it. Another thing to try is to run
> the command net accounts /maxpwage:unlimited . If that does not work see the
> KB article below on how to set security settings back to default defined
> levels and you might want to use /areas securitypolicy at the end of the
> command to see if that works. --- Steve
>
> http://support.microsoft.com/default...b;EN-US;313222
>
> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
> news:wIudnZc7Uc1hAVDenZ2dnUVZ_tudnZ2d@comcast.com. ..
>> Well, so much for that idea. I removed the computer from the domain, and
>> put it in my home workgroup. Unfortunately I still can't edit the local
>> security policy settings for password and lockout. Further, I've tried
>> importing settings from the compatible workstation, and that doesn't work,
>> either. Any other ideas?
>>
>> Thanks and Regards,
>>
>> Margaret
>>
>> Margaret Wilson wrote:
>>> Thanks, I was just wondering if that might work. I've run several
>>> different domains over the years, NT 351 - Win2003, and I'd never heard
>>> of not being able to override password expiration in the user account
>>> settings, either. But this is a fairly computer savvy user, so I can't
>>> imagine she's telling tall tales. ;-)
>>>
>>> Thanks!
>>>
>>> Margaret
>>>
>>> Steven L Umbach wrote:
>>>> It sounds like the computer was never removed from the domain. Logon as
>>>> an administrator and go to Control Panel/system/computer name - change
>>>> and change the computer to workgroup giving it whatever name you want to
>>>> use. Reboot the computer and you should be able to change password
>>>> policy in Local Security Policy. I have never seen or heard of a user
>>>> having to change their password if their user account is configured for
>>>> password never expires. You can use the command net user username to see
>>>> properties of a user account. --- Steve
>>>>
>>>>
>>>> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
>>>> news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@comcast.com. ..
>>>>> I have a user who users her laptop and home, and it's forcing her to
>>>>> change passwords every 90 days, even though her account is set so the
>>>>> password should never expire. (Of course she's using local accounts
>>>>> and logging into the local machine.) When I ran a Windows domain, we
>>>>> had such a domain policy, but certain accounts were set so passwords
>>>>> never expired. Anyway, I looked at the laptop today, figuring I'd just
>>>>> use the Group Policy Editor to change to password expiration and
>>>>> lockout policies. Unfortunately these settings are greyed out for all
>>>>> three admin accounts on the machine. The domain that the laptop was
>>>>> originally used on no longer exists.
>>>>>
>>>>> I have the exact same laptop without this problem (originally used on
>>>>> the same domain), and I was hoping I could just replace the entire
>>>>> policy. But it's been a couple years since I did much with group
>>>>> policy, so I'm stumped on this one. The affected laptop has not been
>>>>> used or updated in a year, so it is maybe running WinXP Pro SP1, though
>>>>> it could have no service pack at all.
>>>>>
>>>>> I'm hoping I can fix this without having to reinstall the entire
>>>>> machine. Can anyone point advise me on this one?
>>>>>
>>>>> Thanks and Regards,
>>>>>
>>>>> Margaret
>>>>
>
>

Offhand I don't know why that is happening. What "might" work is to check
the integrity of the secedit.sdb file or try to rebuild it as explained in
the links below. I have not had the specific problem you describe myself.
Anyhow glad you made some progress. --- Stove

http://www.microsoft.com/resources/d...troubletn.mspx
http://support.microsoft.com/kb/278316

"Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
news:I_qdnXHV8fn_H1PenZ2dnUVZ_vydnZ2d@comcast.com. ..
> The instructions in the KB article worked, with errors. But ... it seems
> to have set the security settings back to what they should be. Still, the
> settings for the password and account lockout policies are greyed out, so
> they still cannot be changed. I'd like to know what *that's* all about.
> Stupidly, I didn't run a the "net user" command on her account till
> *after* I'd already done the secedit thing. But now it says that the
> password and account never expire. So that should be good enough that I
> don't have to reinstall the machine from scratch.
>
> Any idea why those security settings are greyed out? (I'm logged in as an
> admin, and they're greyed out for me, too.)
>
> Thanks so much for your help, Steve!
>
> Regards,
>
> Margaret
>
> Steven L Umbach wrote:
>> What does the output of net user and whoami /all for her user account
>> look like. I still am very skeptical of an account that is set to
>> password never expires being expired or is she just getting the message
>> that it will and not actually being forced to changed her password at
>> logon that says - your password has expired and you must change it.
>> Another thing to try is to run the command net accounts
>> /maxpwage:unlimited . If that does not work see the KB article below on
>> how to set security settings back to default defined levels and you might
>> want to use /areas securitypolicy at the end of the command to see if
>> that works. --- Steve
>>
>> http://support.microsoft.com/default...b;EN-US;313222
>>
>> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in message
>> news:wIudnZc7Uc1hAVDenZ2dnUVZ_tudnZ2d@comcast.com. ..
>>> Well, so much for that idea. I removed the computer from the domain,
>>> and put it in my home workgroup. Unfortunately I still can't edit the
>>> local security policy settings for password and lockout. Further, I've
>>> tried importing settings from the compatible workstation, and that
>>> doesn't work, either. Any other ideas?
>>>
>>> Thanks and Regards,
>>>
>>> Margaret
>>>
>>> Margaret Wilson wrote:
>>>> Thanks, I was just wondering if that might work. I've run several
>>>> different domains over the years, NT 351 - Win2003, and I'd never heard
>>>> of not being able to override password expiration in the user account
>>>> settings, either. But this is a fairly computer savvy user, so I can't
>>>> imagine she's telling tall tales. ;-)
>>>>
>>>> Thanks!
>>>>
>>>> Margaret
>>>>
>>>> Steven L Umbach wrote:
>>>>> It sounds like the computer was never removed from the domain. Logon
>>>>> as an administrator and go to Control Panel/system/computer name -
>>>>> change and change the computer to workgroup giving it whatever name
>>>>> you want to use. Reboot the computer and you should be able to change
>>>>> password policy in Local Security Policy. I have never seen or heard
>>>>> of a user having to change their password if their user account is
>>>>> configured for password never expires. You can use the command net
>>>>> user username to see properties of a user account. --- Steve
>>>>>
>>>>>
>>>>> "Margaret Wilson" <twokatmew@nospam.gmail.com.invalid> wrote in
>>>>> message news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@comcast.com. ..
>>>>>> I have a user who users her laptop and home, and it's forcing her to
>>>>>> change passwords every 90 days, even though her account is set so the
>>>>>> password should never expire. (Of course she's using local accounts
>>>>>> and logging into the local machine.) When I ran a Windows domain, we
>>>>>> had such a domain policy, but certain accounts were set so passwords
>>>>>> never expired. Anyway, I looked at the laptop today, figuring I'd
>>>>>> just use the Group Policy Editor to change to password expiration and
>>>>>> lockout policies. Unfortunately these settings are greyed out for
>>>>>> all three admin accounts on the machine. The domain that the laptop
>>>>>> was originally used on no longer exists.
>>>>>>
>>>>>> I have the exact same laptop without this problem (originally used on
>>>>>> the same domain), and I was hoping I could just replace the entire
>>>>>> policy. But it's been a couple years since I did much with group
>>>>>> policy, so I'm stumped on this one. The affected laptop has not been
>>>>>> used or updated in a year, so it is maybe running WinXP Pro SP1,
>>>>>> though it could have no service pack at all.
>>>>>>
>>>>>> I'm hoping I can fix this without having to reinstall the entire
>>>>>> machine. Can anyone point advise me on this one?
>>>>>>
>>>>>> Thanks and Regards,
>>>>>>
>>>>>> Margaret
>>>>>
>>