Re: Group Policy problems

From: David Dickinson [MVP] (eis@no-spam.softhome.net)
Date: 06/18/02 

From: "David Dickinson [MVP]" <eis@no-spam.softhome.net>
Date: Tue, 18 Jun 2002 11:34:38 -0600

Egon Petersen wrote:
> I have a WIN2000 domain running with 2 Domain Controllers
> and around 100 users.
>
> When I try to give the users a new password it must be
> with both small and capital letters as well as numbers.
> When I check our defaul domain policy, the Complex
> Password setting is set to disable. None the less I have
> problems with the password.
> If I set the default domain policy with the check box No
> Override everything works fine and I can use a password
> with only small letters.
>
> This could tell that there is a policy some where that
> sets the complexity, but I can't find that policy.
>
> It does not help to move the users to another OU, I have
> tried that.

You said that moving users to another OU doesn't help, but does this problem
appear in /all/ OUs? I'm wondering if somewhere in your heirarchy there is
a group policy object that has defined the "Passwords must meet complexity
requirements" policy and has it enabled. Depending upon the complexity of
your organization it can be a pain to do, but I would start by writing down
the hierarchy of GPOs (and include the local policies for the domain
controllers), then for each one check their override settings and password
complexity policy. Some policy -- for domain controllers or OU's or
something -- is different and is overriding the domain policy. 

--
David Dickinson, MVP (Security)
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp

Relevant Pages

  • Re: Reasons and examples for security
    ... Roger Abell ... >> "Use passphrases" (with some details tbd relative to retraints ... >> on length minimum and relationship with complexity policy). ...
    (microsoft.public.security)
  • RE: Problem after setting password complexity
    ... change password after you enable "password must meet complexity ... I suggest you configure the password policy under "domain security ... Password must meet complexity requirements Enabled ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: MU team brews its own, cheaper gas
    ... If you're a decision-maker suffering from these acute symptoms it may be time to ask your doctor about Complexity Science: a nascent, interdisciplinary field exploring the structure, behavior and dynamics of complex systems. ... Catalyst's "Forum on Complexity and Transportation Policy," to be held June 15th at the Cosmos Club in Washington, DC is the second of a four-part series exploring the new public policy insights offered by complexity science. ... Catalyst is pleased to feature two of the most highly esteemed individuals in the field of transportation policy today: Dr. Tom Downs and Dr. Carl Simon. ...
    (sci.fractals)
  • Re: Password must meet complexity requirements
    ... I am getting the complexity message. ... The Default Domain Policy must be linked but not enforced. ... (one of the reasons we suggest you never modify the Default Policies ... replicate and see what happens. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Policy
    ... You minimum password age is badly high. ... Steve Riley wrote an excellent article on why password complexity is not so ... allowed to change their password before it expires. ... You can circumvant a bit the password policy by having 'password never ...
    (microsoft.public.windows.group_policy)