https://live.paloaltonetworks.com/t5/general-topics/gp-ad-user-password-expiry/m-p/156821#M51485 <P>Hello</P><P>&nbsp;</P><P>Correct way to check password policy in AD is to run secpol.msc and show:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2017-05-16_083812.png" style="width: 765px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9272i4E42FC8D79E88D22/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2017-05-16_083812.png" alt="2017-05-16_083812.png" /></span></P><P>&nbsp;</P><P>Please show this information.</P><P>&nbsp;</P><P>Regards</P><P>Slawek</P> Tue, 16 May 2017 06:39:23 GMT _slv_ 2017-05-16T06:39:23Z https://live.paloaltonetworks.com/t5/general-topics/gp-ad-user-password-expiry/m-p/156754#M51470 <P>When setting up a Global policy object for a Paloalto globalprotect user/group , the maxpwdage attribute does not match the, the password expiry date sent for Paloalto user, This can be confusing to know when the password actually going to expire for the GP user.<BR />Panos 7.0.6<BR />Gp 3.0.3<BR />AD server 2012r2<BR /><BR />Max password age was set on 14.05.17</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pwdpilicy.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9265iDB7A97BBEFED41E8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pwdpilicy.PNG" alt="pwdpilicy.PNG" /></span></P><P>&nbsp;</P><P>Tailing the authd logs whilst connecting with a GP user<BR />&gt;&gt;tail follow yes mp-logs authd<BR />It shows that there are only 64 days left before the password expires, however the default domain policy is set to 75 days</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pwdexpiry.jpg" style="width: 651px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9266i32BB402FF6447018/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pwdexpiry.jpg" alt="pwdexpiry.jpg" /></span></P><P>This difference is due to the attirbutes maxpwdage an pwdlastset were set on differnet date.<BR />run the below command on windows shell<BR /><BR /><BR /><STRONG>get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires</STRONG><BR /><BR />The output below suggests that passwordlast set for the user on 04.05.17</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pwdlastset1.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9267i9FABA09277D9A127/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pwdlastset1.jpg" alt="pwdlastset1.jpg" /></span></P><P>&nbsp;</P><P><BR />There is a difference of 11 days between attributes &nbsp;maxpwdage and pwdlastset<BR />maxpwdage-passwordlast set= password expiry<BR />75 -11 =64 days<BR /><BR />Best regards,</P><P>&nbsp;</P><P>Kash</P> Mon, 15 May 2017 20:30:54 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-ad-user-password-expiry/m-p/156754#M51470 Kashif_Noor 2017-05-15T20:30:54Z https://live.paloaltonetworks.com/t5/general-topics/gp-ad-user-password-expiry/m-p/156821#M51485 <P>Hello</P><P>&nbsp;</P><P>Correct way to check password policy in AD is to run secpol.msc and show:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2017-05-16_083812.png" style="width: 765px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9272i4E42FC8D79E88D22/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2017-05-16_083812.png" alt="2017-05-16_083812.png" /></span></P><P>&nbsp;</P><P>Please show this information.</P><P>&nbsp;</P><P>Regards</P><P>Slawek</P> Tue, 16 May 2017 06:39:23 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-ad-user-password-expiry/m-p/156821#M51485 _slv_ 2017-05-16T06:39:23Z