Re: Cant disable password complexity

• Previous message: aurelio: "Re: GPO - Password policy do not apply"
• In reply to: Will Smith: "Cant disable password complexity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Nov 2004 22:47:21 -0500

Will Smith wrote:
> I have a slightly quirky problem. I have a pure Windows 2000 Domain
> with 2 domain controllers running Active Directory. Neither of the
> servers show any problems with AD replication, Group policy
> replication, Browser, DNS, Netlogon, Sysvol etc etc.. Nothing in any
> of the event logs apart from the standard "Ignore this issue its not
> a problem" type errors e.g event 10006 DCOM got error "Class not
> registered " from the computer XXXX when attempting to activate the
> server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event 36871 A fatal
> error occurred while creating an SSL server credential.
>
> DNS is happy; NTFRS is happy etc etc.... Basically no problems show
> up.
>
> The problem I have occurring is that all of a sudden the servers are
> requiring complex passwords e.g. if you change a password or create a
> new user account etc.
>
> I have used GPOTOOL to check that group policy replication is happy,
> which it is. I have looked at the default domain policy as well as
> the default domain controller policy and re-tried enabling and
> disabling all bits of the Password Policy section, in all variations
> (plus used secedit to apply the settings). The Domain policy is
> blocked from inheriting the default domain policy as it should be.
>
> However, if you look at the local security policy > password policy on
> either domain controller, it is always listed as NOT DEFINED.
>
> I have also attempted setting the local security policy, and that
> still has no effect.
>
> Basically, all sections of the group policy will make a change to the
> local security policy, BUT, it is not possible to set any of the
> settings in the Password Policy section. This applies to any changes
> you make in the Group Policy(s) at any level and also to the local
> security policy. FYI... there are only the 2 policies on the server!
> If you change any other section of a policy (domain, local, domain
> cont), it will replicate between the servers and it will apply that
> section of the policy to any area except the Password Policy, which
> wont change!
>
> I have re-applied the service pack, as a safety measure and this is
> on a live domain that has been working fine for 2 years now.... so
> how the change has come about, I am uncertain!
>
> This problem has only come to light as I had to create a new user,
> which I couldn't do without a complex password being set. However as
> I cannot find out what is really going on with the password policy, I
> cant tell how long it will now be before 300+ users are going to be
> asked to change their password, and you can imagine the chaos that
> will happen :-(
>
> As I have now spent 15 hours trying to resolve this, with all possible
> scenarios of applying a password policy (either disabling, enabling,
> not defining...Domain policy, Domain Controller policy, Local
> Security policy etc.etc..) has anyone any thoughts on this as I am
> completely baffled as to where to look next and unfortunately, my
> customer isn't going to accept that "I thought their network needed
> its security beefing up, so I turned on password complexity (sadly,
> as that would be a great easy option).
>
> Another possibility would be if anyone knows exactly where to flick
> the switch to disable this... Is it in that DLL file in system 32
> that controls password complexity.... or an encrypted registry
> key...or as unlikely as it may be, Active directory through ADSI
> edit???
>
> Any thoughts and suggestions would be more than welcome on this one!!
>
> Thanks
>
> Will Smith

Hi - I see you have replies, and a resolution, in another group. In the
future, please don't multipost - if you need to post to multiple groups,
it's best to crosspost instead, by posting a single message to a handful of
relevant groups (separate the NG names with commas) so that everyone can
follow the thread. This makes it easier for everyone, including you.

• Previous message: aurelio: "Re: GPO - Password policy do not apply"
• In reply to: Will Smith: "Cant disable password complexity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: GPO Password length not working ... then look at the password policy items, they all say undefined and there is ... the domain controller policies on the same 2003 server. ... > be the password policy for the domain and what the source GPO is. ... > password policy is not what you want then modify the settings in the source ... (microsoft.public.windows.server.security) Re: OU Delegation ... I can see the local policy running the secpol.msc but I cannot make a change ... I guess that I will make the Child OU under the Domain Controller OU ... There is a Local Security Policy for all Windows ... (microsoft.public.win2000.active_directory) Re: OU Delegation ... I can see the local policy running the secpol.msc but I cannot make a change ... I guess that I will make the Child OU under the Domain Controller OU ... There is a Local Security Policy for all Windows ... (microsoft.public.win2000.security) Re: Effective Setting Greyed Out and Cannot Invoke Settings in Log on locally ... If it is not a domain controller and you can not modify Local Security Policy for ... that user right then there is a higher GPO applying the policy. ... machine_policy enforce first on the domain controller and then on your server to see ... > in my 'Local Security Policy' right? ... (microsoft.public.win2000.security) Password complexity CANT be disabled ... problems with AD replication, Group policy replication, Browser, DNS, ... The problem I have occurring is that all of a sudden the servers are ... either domain controller, it is always listed as NOT DEFINED. ... I have also attempted setting the local security policy, ... (microsoft.public.win2000.group_policy)