Re: Security hierarchy

From: Steven L Umbach (n9rou@attbi.com)
Date: 04/13/03

• Next message: Steven L Umbach: "Re: Lock system clock?"
• Previous message: Molotov: "RPC Locator Service Exploit [SCANNER NEEDED!]"
• In reply to: Peter K.: "Re: Security hierarchy"
• Next in thread: Peter K.: "Re: Security hierarchy"
• Reply: Peter K.: "Re: Security hierarchy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Sun, 13 Apr 2003 19:29:06 GMT

        Hi Peter. No I do not think your system is hosed. You said you set
it to disabled at domain level. Try that at domain controller and local
policy level also. What you are experiencing with that setting does not
seem to be unusual since I have seen more than a few postings on the same
subject. Try a Google advanced search for groups using password complexity
as search string and *win2000* or *security* as newsgroups to search. Also
see links as a possible solution/clue. Good luck. --- Steve

http://support.microsoft.com/?kbid=226243
http://support.microsoft.com/?kbid=161990

"Peter K." <pmkdatabase@yahoo.ca> wrote in message
news:bsqh9vkvl32jpiun4e3l4lsj1aapeod0bs@4ax.com...
> Thank you - I hope you have time to have a look at my responses
> inline.
>
> On Sat, 12 Apr 2003 15:03:09 GMT, "Steven L Umbach"
> <sumbach@ameritech.net> wrote:
>
> > I assume you are trying to add a domain user. Account policy for
domain
>
> Yes
>
> >can be configured only at domain level. If it is assigned at other levels
it
> >would only apply to local machine accounts if domain policy is
overridden..
>
> Understood, but at domain level (and DC) it is not defined.
>
> >I have found that sometimes certain settings do not "show up" in a timely
> >manner as you would think. Try running security configuration and
analysis
>
> It has been > 12 hours or so since my post, and I have rebooted also.
>
> >snap in to see what it reports.
>
> Not Configured - PasswordComplexity
>
> >Another thing to try would be to change
> >setting to disabled at domain level. These policies do not propagate
>
> Tried that.
>
> >immediately and need to be updated on dc first via a secedit refresh or
> >reboot before doing same to domain member computer. It is also advisable
to
>
> ran secedit and rebooted also.
>
> >try not to change domain and domain controller policy, but to add new
> >policies for desired changes - that way it is easy to undo changes and go
> >back to default by deleting custom policy.
>
> Good advice for next time!
>
> This is the big question: Are you saying that from the info I have
> provided, that password complexity should not be enforced although it
> is and therefore the system is somehow hosed? 'Cause if so, I will
> stop wasting time on it but it is scary if it could get hosed so
> easily.
>
> >Changes at local security policy
> >can be restored to default, but it is best to document changes and do
just a
> >few at a time. -- Steve
> >
> >"Peter K." <pmkdatabase@yahoo.ca> wrote in message
> >news:s4lf9v0mcbl10ab7fq3m0au9du2l7mujt8@4ax.com...
> >> Hi,
> >>
> >> Maybe I have been working on this too long (studying for the 70-215
> >> exam) - but I just cannot figure out what is going on. Help would be
> >> appreciated. I should mention I have made a number of changes to the
> >> security settings at various levels.
> >>
> >> Currently Domain and DC Security policy have all display password
> >> policies 'not defined'. The default GPO for the domain in Users and
> >> Computers MMC also shows them as all not defined. Local setting show
> >> password complexity requirement as disabled in Local Settings, and
> >> Effectively as 'not defined'.
> >>
> >> I reboot the DC (the only one in the test domain).
> >>
> >> Yet password complexity is clearly in effect - I cannot add a user -
> >> regardless of the group selected - unless the password meets
> >> complexity requirements like so.123Ss11D. What am I missing??
> >>
> >> Thanks,
> >>
> >> Peter
> >>
> >>
> >> Peter
> >
>
>
> Peter

---

• Next message: Steven L Umbach: "Re: Lock system clock?"
• Previous message: Molotov: "RPC Locator Service Exploit [SCANNER NEEDED!]"
• In reply to: Peter K.: "Re: Security hierarchy"
• Next in thread: Peter K.: "Re: Security hierarchy"
• Reply: Peter K.: "Re: Security hierarchy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Domain ... Domain Controller Security Policy has all user rights assignments ... Configuring ipsec policy at the domain level ... (microsoft.public.win2000.group_policy) Re: Group Policies ... Domain Controller Security Policy is just for objects ... policy for domain users can only be defined at the domain level and the user ... (microsoft.public.win2000.security) Re: Login Scripts ... Default Domain Policy) that contains the "baseline" settings that users ... at the OU level will override settings declared at the domain level, and GPO ... > domain if no MSI package is found. ... (microsoft.public.windows.server.active_directory) Re: Account Lockout Threshold change - Not taking effect ... The other policy is linked at the domain level. ... I even changed the settings to 5 attempt. ... Have you tried unlinking the additional GPO you've created at the Domain ... (microsoft.public.windows.server.active_directory) Re: Security hierarchy ... OK - last night I managed to reset the password policy. ... I had to boot into DS restore mode in order to be able to access the ... New users had to have complex passwords. ... >> I have tried all the suggestions plus a new top GPO at domain level ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)