Re: Backing out Complex passwords enabled in Domain Group policy.
From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 03/05/04
- Next message: TDM: "Re: Can I disable CD Burning in Win2k?"
- Previous message: TDM: "Re: FTP"
- In reply to: Herb Martin: "Re: Backing out Complex passwords enabled in Domain Group policy."
- Next in thread: Herb Martin: "Re: Backing out Complex passwords enabled in Domain Group policy."
- Reply: Herb Martin: "Re: Backing out Complex passwords enabled in Domain Group policy."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 05 Mar 2004 14:32:22 GMT
Hi Herb.
You bring up some excellent points. I gave the quick usual answer of first
thing to try. Of course if there is more than one GPO for the domain, then
any settings at the GPO highest in the list will take precedence and if
there is more than one they should dusable complexity on the top domain GPO
also which may not be obvious if someone is just trying Domain Security
Policy in administative tools.
Supposedly [and I might be wrong] it should not matter if it is configured
in Domain Controller Security Policy and my experience shows that, though it
would not hurt to disable it there also. However if a change is made to the
domain level and "block inheritance" is configured on the domain controller
container then password policy changes will not be implemented.
I also found that often the "effective" settings shown in Local Security
Policy even after a reboot can be incorrect and one way to tell what the
real effective settings are to run Security Configuration and Analysis
ool. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;269236
"Herb Martin" <news@LearnQuick.com> wrote in message
news:e8isoMnAEHA.2768@tk2msftngp13.phx.gbl...
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:v6P1c.179508$uV3.762298@attbi_s51...
> > Change complexity to disabled in the domain policy. Ten run secedit
> /refreshpolicy
> > machine_policy /enforce. Wait a couple of minutes and try again. ---
> Steve
> >
>
> I agree with you Steven but I have another thought about what
> MIGHT have been done, correct me if you disagree, this is only
> a supposition....
>
> IF he changed the Domain Controller Policy (and forgot that) or
> added another policy besides default (this is obviously true but I
> am trying to be complete) then he might be trying to "fix" it in only
> one of several places it is set.
>
> --
> Herb Martin
> >
> > "Tony Gec" <tony.gec@parliament.qld.gov.au> wrote in message
> > news:C26CC5B2-686B-4EC8-9C01-C9EE28D74BCF@microsoft.com...
> > > Hi,
> > >
> > > I'm currently testing the use of enabling complex passwords. It all
> works fine,
> > however I've been requested to test backing it out.
> > >
> > > Here's my problem.
> > >
> > > Although I have changed the Domain Group policy for complex passwords
> back to the
> > original setting (not defined). Every time I try to add a new user or
> have an
> > existing user change their password, the system insists on using complex
> passwords
> > instead of basic passwords. RSoP indicates that complex passwords have
> been turned
> > off.
> > >
> > > Is there anything else I need to do on the Domain Controller?
> > >
> > > Cheers,
> > >
> > > Tony Gec.
> >
> >
>
>
- Next message: TDM: "Re: Can I disable CD Burning in Win2k?"
- Previous message: TDM: "Re: FTP"
- In reply to: Herb Martin: "Re: Backing out Complex passwords enabled in Domain Group policy."
- Next in thread: Herb Martin: "Re: Backing out Complex passwords enabled in Domain Group policy."
- Reply: Herb Martin: "Re: Backing out Complex passwords enabled in Domain Group policy."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
