Domain Password Policy Not Applying

Password policies which appear to be a bug but are actually there "by design".

A customer has a handful of domain controllers with a single "Server 2008 R2" and three "Server 2012 R2" domain controllers.  The PDC Emulator resides on Server 2008 R2.

The Server 2008 R2 domain controller was applying the password policy correctly however the 2012 R2 domain controllers were not.

Running an rsop.msc on the 2008 R2 domain controller (the PDC) shows the policy being applied from the Default Domain Policy.

 The 2012 R2 domain controllers the resultant set of policy displayed no policies being applied.

The same was experienced running an "gpresult /v" on the 2008 R2 or 2012 R2 domain controllers.

"gpresult /v" on 2008 R2:

"gpresult /v" on 2012 R2:

The account policies above are the domain Kerberos policy, not the password policy.

The password policy simply did not apply to the 2012 servers.  After further testing, we saw that only the domain controller running the PDC emulator displays the password policy when performing a "Resultant Set of Policy".

If the DC is not the PDC, then it will not display the password policy from RSOP.

How do I check if the password policy is applying correctly on my domain controllers?

There are two commands which check the password policy:

• net accounts (checks local password policies on a server)
• net accounts /domain (checks the domain password policy on a server)

 

Domain Policy always wins over a local policy.

Computer Role: Backup means it is not a Primary Domain Controllers (PDC).