Authentication Service, Mac & PC Management Service, Auditing and Monitoring Service
000001977
KB-1507: Inconsistent AD user's password expiration date between hosts within the same zone
Applies to: All versions of Centrify DirectControl
Problem:
Inconsistent AD user's password expiration date between hosts within the same zone
Cause:
DirectControl agent calculates password expiration date based on the value set for the parameter "secedit.system.access.maximumpasswordage" in /etc/centrifydc/centrifydc.conf file. If machine group policies are enabled, this parameter gets its value from the "Max password age" group policy set in Active Directory; otherwise the default value of 90 is used for calculation.
Solution:
Ensure the computer-based group policies are enabled by setting the configuration parameter in the file /etc/centrifydc/centrifydc.conf gp.disable.machine: false and make sure the configuration parameter "secedit.system.access.maximumpasswordage" has same value across the hosts.
If computer-based group policies need to be turned off, add the configuration parameter secedit.system.access.maximumpasswordage in the file /etc/centrifydc/centrifydc.conf and set it to same value on all the hosts within the same zone.