Re: Security hierarchy

From: Steven L Umbach (n9rou@attbi.com)
Date: 04/14/03

  • Next message: Steven L Umbach: "Re: Audit Object Access" 
    From: "Steven L Umbach" <n9rou@attbi.com>
Date: Mon, 14 Apr 2003 03:46:49 GMT

         Hmm!? I tried it out on my test network today. Set domain policy to
    complex passwords enabled. New users had to have complex passwords. Then I
    set domain policy to be disabled, used secedit refresh and was able to add
    users with simple passwords again. Effective local policy reflected what was
    set at domain level. Look in event viewer for any clues of a problem. You
    might want to try to reset your local security policy. I would also suggest
    running dcdiag first on the domain controller to see what it reports while
    logged on as a domain administrator. It is located on cdrom in support/tools
    folder where you will need to run the setup program there. -- Steve

    http://www.jsiinc.com/SUBL/tip5500/rh5571.htm
    http://www.jsiinc.com/subf/tip2700/rh2740.htm

    "Peter K." <pmkdatabase@yahoo.ca> wrote in message
    news:o28k9v0ssler1nciu40djvg3a4hcoaj5k1@4ax.com...
    > Steven and Joe,
    >
    > I have tried all the suggestions plus a new top GPO at domain level
    > and other combos as well. I can't get rid of the requirement for a
    > complex password - I give up.
    >
    > BTW, I found a post by Svyatoslav Pidgorny stating that security
    > polices are domain level only
    >
    (http://groups.google.com/groups?hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&frame=ri
    ght&th=56ae7e30dcc1f1f0&seekm=u30XBWvCCHA.2096%40tkmsftngp04#link4)
    > but tried all the combos with DC and local settings also.
    >
    > I also found this in the KB (279890) - kind of bizarre, as it refers
    > to an option that as far as I can see does not exist - "I will specify
    > user's password".
    >
    > Thanks a lot for the input - greatly appreciated.
    >
    > Peter
    >
    >
    > On Sun, 13 Apr 2003 19:29:06 GMT, "Steven L Umbach" <n9rou@attbi.com>
    > wrote:
    >
    > > Hi Peter. No I do not think your system is hosed. You said you
    set
    > >it to disabled at domain level. Try that at domain controller and local
    > >policy level also. What you are experiencing with that setting does not
    > >seem to be unusual since I have seen more than a few postings on the same
    > >subject. Try a Google advanced search for groups using password
    complexity
    > >as search string and *win2000* or *security* as newsgroups to search.
    Also
    > >see links as a possible solution/clue. Good luck. --- Steve
    > >
    > >http://support.microsoft.com/?kbid=226243
    > >http://support.microsoft.com/?kbid=161990
    > >
    > >"Peter K." <pmkdatabase@yahoo.ca> wrote in message
    > >news:bsqh9vkvl32jpiun4e3l4lsj1aapeod0bs@4ax.com...
    > >> Thank you - I hope you have time to have a look at my responses
    > >> inline.
    > >>
    > >> On Sat, 12 Apr 2003 15:03:09 GMT, "Steven L Umbach"
    > >> <sumbach@ameritech.net> wrote:
    > >>
    > >> > I assume you are trying to add a domain user. Account policy for
    > >domain
    > >>
    > >> Yes
    > >>
    > >> >can be configured only at domain level. If it is assigned at other
    levels
    > >it
    > >> >would only apply to local machine accounts if domain policy is
    > >overridden..
    > >>
    > >> Understood, but at domain level (and DC) it is not defined.
    > >>
    > >> >I have found that sometimes certain settings do not "show up" in a
    timely
    > >> >manner as you would think. Try running security configuration and
    > >analysis
    > >>
    > >> It has been > 12 hours or so since my post, and I have rebooted also.
    > >>
    > >> >snap in to see what it reports.
    > >>
    > >> Not Configured - PasswordComplexity
    > >>
    > >> >Another thing to try would be to change
    > >> >setting to disabled at domain level. These policies do not propagate
    > >>
    > >> Tried that.
    > >>
    > >> >immediately and need to be updated on dc first via a secedit refresh
    or
    > >> >reboot before doing same to domain member computer. It is also
    advisable
    > >to
    > >>
    > >> ran secedit and rebooted also.
    > >>
    > >> >try not to change domain and domain controller policy, but to add new
    > >> >policies for desired changes - that way it is easy to undo changes and
    go
    > >> >back to default by deleting custom policy.
    > >>
    > >> Good advice for next time!
    > >>
    > >> This is the big question: Are you saying that from the info I have
    > >> provided, that password complexity should not be enforced although it
    > >> is and therefore the system is somehow hosed? 'Cause if so, I will
    > >> stop wasting time on it but it is scary if it could get hosed so
    > >> easily.
    > >>
    > >> >Changes at local security policy
    > >> >can be restored to default, but it is best to document changes and do
    > >just a
    > >> >few at a time. -- Steve
    > >> >
    > >> >"Peter K." <pmkdatabase@yahoo.ca> wrote in message
    > >> >news:s4lf9v0mcbl10ab7fq3m0au9du2l7mujt8@4ax.com...
    > >> >> Hi,
    > >> >>
    > >> >> Maybe I have been working on this too long (studying for the 70-215
    > >> >> exam) - but I just cannot figure out what is going on. Help would be
    > >> >> appreciated. I should mention I have made a number of changes to the
    > >> >> security settings at various levels.
    > >> >>
    > >> >> Currently Domain and DC Security policy have all display password
    > >> >> policies 'not defined'. The default GPO for the domain in Users and
    > >> >> Computers MMC also shows them as all not defined. Local setting show
    > >> >> password complexity requirement as disabled in Local Settings, and
    > >> >> Effectively as 'not defined'.
    > >> >>
    > >> >> I reboot the DC (the only one in the test domain).
    > >> >>
    > >> >> Yet password complexity is clearly in effect - I cannot add a user -
    > >> >> regardless of the group selected - unless the password meets
    > >> >> complexity requirements like so.123Ss11D. What am I missing??
    > >> >>
    > >> >> Thanks,
    > >> >>
    > >> >> Peter
    > >> >>
    > >> >>
    > >> >> Peter
    > >> >
    > >>
    > >>
    > >> Peter
    > >
    >
    >
    > Peter

  • Next message: Steven L Umbach: "Re: Audit Object Access"

    Relevant Pages

    • Re: Problems implementing password complexity
      ... That was it - the passwords were set to never expire when I looked at them ... complex passwords on their next log in? ... Passsword policy is implemented as a domain linked group policy on the ... Exeptions to this are accounts with the settings of password never expires ...
      (microsoft.public.windows.server.sbs)
    • Re: Backing out Complex passwords enabled in Domain Group policy.
      ... > Change complexity to disabled in the domain policy. ... > "Tony Gec" wrote in message ... >> I'm currently testing the use of enabling complex passwords. ... > existing user change their password, the system insists on using complex ...
      (microsoft.public.win2000.security)
    • Re: Cant disable password complexity
      ... The only place in domain where password policy can be defined (to have any ... Neither of the servers show ... > requiring complex passwords e.g. if you change a password or create a new ... > I have also attempted setting the local security policy, ...
      (microsoft.public.win2000.security)
    • Re: Domain Password Policy Question
      ... I beleive this depends on the group policy refresh interval which is by ... rules and extending the expiration to one year. ... We currently have the require complex passwords enabled along with the ... number of characters we be 15 characters without complexity. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Password trouble
      ... Check the group policy "Default Domain Policy" on the domain level. ... a setting named something like "complex passwords". ...
      (microsoft.public.security)