Re: Group Policy problems

From: David Dickinson [MVP] (
Date: 06/18/02

From: "David Dickinson [MVP]" <>
Date: Tue, 18 Jun 2002 11:34:38 -0600

Egon Petersen wrote:
> I have a WIN2000 domain running with 2 Domain Controllers
> and around 100 users.
> When I try to give the users a new password it must be
> with both small and capital letters as well as numbers.
> When I check our defaul domain policy, the Complex
> Password setting is set to disable. None the less I have
> problems with the password.
> If I set the default domain policy with the check box No
> Override everything works fine and I can use a password
> with only small letters.
> This could tell that there is a policy some where that
> sets the complexity, but I can't find that policy.
> It does not help to move the users to another OU, I have
> tried that.

You said that moving users to another OU doesn't help, but does this problem
appear in /all/ OUs? I'm wondering if somewhere in your heirarchy there is
a group policy object that has defined the "Passwords must meet complexity
requirements" policy and has it enabled. Depending upon the complexity of
your organization it can be a pain to do, but I would start by writing down
the hierarchy of GPOs (and include the local policies for the domain
controllers), then for each one check their override settings and password
complexity policy. Some policy -- for domain controllers or OU's or
something -- is different and is overriding the domain policy.

David Dickinson, MVP (Security)
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins