Univention does not enforce password change


Univention does not force users to change domain user passwords. With a password change every 30 days, the change does not take place. Where is the problem?


Hi, what version of UCS are you running? What services/apps are installed?

How did you configure your password policy and which service do you expect to enforce the change?

Did you read this chapter in the manual which explains that there is a difference between OpenLDAP-based password policies and Samba-based password policies? https://docs.software-univention.de/manual-4.2.html#users:passwords



UCS Version
4.2-0 errata10 (Lesum)
UMC Version

Installed Aplication:
Active Directory Connection
Active Directory Takeover
Active Directory Compatible Domain Controller

I want the domain to force a password change every 30 days for users. I created the user through the “Active Directory users and computers” tool.
The attachment is a screenshot of the password change time setting. Unfortunately this does not work.


you are mixing two password policies. Your first screenshot shows the samba-password settings - on the UCS also to check via:

# samba-tool domain passwordsettings show

Your second screenshot shows services (which have nothing to do with password-policies).

The UCS also has the possibility to attach password policies - the Samba and UCS policies however are seperate. You would need to set the samba-policies according to a UCS password policy (or vice versa) - then the users should be forced to change the password.


root@ad1:~# samba-tool domain passwordsettings show
Password informations for domain ‘DC=powiat,DC=intranet’

Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30


it seems your GPO is not executed. SambaAD thinks there is no min/max password-age. Maybe the GPO is not correctly linked?


How to check it?
Is there any manual how to connect / create a new one?


The GPOs are essentially a part microsoft windows, the handling via RSAT Tools should be the same for a UCS domain. The following links explains GPOs and the creation of them: https://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx

Basically, you create a GPO and “attach” it to a user/group/OU - it will work for all underlying objects (except UCS DCs - see the paragraph below). For domain-wide changes, you could modify the “default domain policy” for example.

But I need to clarify something: your current issue goes a little bit deeper: currently UCS cannot use/implement GPO-Setting (clients can and will, but the UCS DC cannot) - that is the reason your settings are not replicated. If you want to have these passwordsettings you need to either set them via UCS UDM-Policy (UMC - LDAP - Policies) or via “# samba-tool passwordsettings” on the console.

Kind regards


OK - I’ve set the password change request via samba-tool, and the windows client has launched “gpupdate / force”. After issuing the command “net user xxx / domain”, the date of password change actually started to be correct. Unfortunately, this did not force a password change on the windows client. You could normally log in. The “net user xxx / domain” command only stopped working.
After changing the password in widnows - the command “net user xxx / domain” works again …
Any ideas ?


Ah, okay. Can you set the UCS UDM Policy additionally and try again? Try to have both policies with the same dates/times.