RE: Bypassing Windows 2000 Domain Password settings

From: Gino Genari (mail226518@pop.net)
Date: 05/16/02 

From: "Gino Genari" <mail226518@pop.net>
To: <focus-ms@securityfocus.com>
Date: Wed, 15 May 2002 18:48:14 -0400

Sorry I did not give much detail in my first message. At the time of my
first message, I was not aware of Q269236, I had set my TechNet search too
narrow.
My original issue was not just with minimum password age, but also with the
other settings in that GPO tree. There are 6 settings under Computer
Configuration> Windows settings> Security Settings> Account Policies>
Password Policy, those settings are:
1. Enforce Password History
2. Maximum Password Age
3. Minimum Password Age
4. Minimum Password Length
5. Password must meet complexity requirements
6. Store Password using reversible encryption ...

I now know these are all affected by Q269236.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q269236

Q273004 also seems to say something about minimum password age. This article
is hinting that this might have to be set on each custom OU (see note from
the article below), I am currently testing in my Lab.
NOTE : If users are configured to a specific organizational unit, select the
organizational unit where the users reside.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q273004

Here are my gripes with this now that I know what the problem happens to be:
1. Security Configuration and analysis snap in, GPO snap in and FAZAM
2000 are reporting false information. All 3 showed me that my settings were
correct for what I wanted, so I had no clue that the Default Domain
Controller policy was affecting my end result.
2. There is no warning when you set these polices in the Default Domain
Policy, that there needs to be modification to the Default Domain
Controllers policy, yet setting password age policy will warn and reset
the other password age policy within the same GPO (changing the maximum age
will reset the minimum age).
3. Why is this policy on the Computer Settings, and not in the User
settings?

Gino.
-----Original Message-----
From: Skinner, Kit [mailto:KSkinner@sandstream.com]
Sent: Wednesday, May 15, 2002 4:13 PM
To: 'focus-ms@securityfocus.com'
Cc: 'Gino Genari'
Subject: RE: Bypassing Windows 2000 Domain Password settings

Your answer is in the Status:
        "This behavior is by design."
If you have "Block Policy Inheritance" enabled on the Domain Controllers OU,
you have two options:
        1. Disable "Block Policy Inheritance" on the Domain Controllers
OU
                - or -
        2. Set a Group Policy in the Domain Controllers OU that mirrors
the settings you desire that exist in the Default Domain Policy.
However, your original message indicated an issue that some experienced with
it recognizing password history. This could relate specifically to the same
issue. But again, that is by design. If you tell it to block inheritance,
it will block inheritance. If you are blocking inheritance on the Domain
Controllers OU, then it is behaving as you told it to. If its not set to
block inheritance, then you have another issue entirely.
-K
-----Original Message-----
From: Gino Genari [mailto:mail226518@pop.net]
Sent: Monday, May 13, 2002 5:18 PM
To: focus-ms@securityfocus.com
Subject: Bypassing Windows 2000 Domain Password settings

Microsoft Q article
Q269236 Changes Are Not Applied When You Change the Password Policy explain
this issue.
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
If policy blocking is enabled at the Domain Controllers OU, password
policies set in the Default Domain Policy are not propagated to any
machines.
The article remarks that SP1 is affected, but I have SP2 on these machines.

Relevant Pages

  • Re: GPO questions
    ... Other than password/account policy for domain users block inheritance at the ... OU level will prevent Group Policy defined settings from levels in the ... >>> certainly is an important account on sensitive domain computers such as ...
    (microsoft.public.cert.exam.mcse)
  • Re: Password expires for no apparent reason
    ... Maximum password age determines how many days a password can be used before the user is required to change it. ... policy that has set the values to what you see below meaning that users ... > Here is net accounts info from local machine ... >> Run net accounts on the client machine to see what the settings are ...
    (microsoft.public.windows.server.active_directory)
  • New Password Policy to implement
    ... Implement a new settings based on our new company Policy: ... Maximum password age =0 ...
    (microsoft.public.win2000.active_directory)
  • Re: Minimum Password requirement for AD users
    ... Run net accounts from the client machine which will tell you the ... If a password policy was set and it sounds like there was at one ... You have to reverse out of the settings. ... Go to the default domain policy, define minumim password age, and set ...
    (microsoft.public.windows.group_policy)
  • Re: having a password policy issue
    ... Default Domain Policy seems to have ... > password age is not set to disabled or not defined. ... > SP4) shows all settings are same as policy. ... > WIN2000 SP4 domain controllers in one site. ...
    (microsoft.public.win2000.group_policy)
Loading