Re: GPO Password length not working

From: CB (CB_at_discussions.microsoft.com)
Date: 08/20/05

  • Next message: Steven L Umbach: "Re: GPO Password length not working"
    Date: Fri, 19 Aug 2005 17:47:31 -0700
    
    

    OK, I'm obviously confused... I thought the way that the AD and domains vs.
    servers worked was that if there was a domain policy, it took precedence over
    the local system policy. I did the net accounts on the domain controllers and
    all of them reported back the local policy settings which are still set to
    defaults for a Windows 2000 Server. So is what you are saying that since
    there is a passowrd length defined at the lower level of "local policy" that
    the later higher priority of domain policy setting it to a length of
    something differnt is ignored? That I need to set the local policy for each
    domain controller to be not defined for the settings I want controlled by the
    domain policy?

    "Steven L Umbach" wrote:

    > For "domain users" password account policy is set only at the domain level.
    > Usually this is Default Domain Policy but it can be any Group Policy linked
    > to the domain container if you have more than one. Keep in mind that if
    > there is more than one Group Policy at the domain level then the one at the
    > top of the list has highest priority as they are applied from bottom up.
    > Also if you have define a password/account policy setting and later set it
    > to non defined the effective setting will not change.
    >
    > You need to make sure that "block inheritance" is not enable for the domain
    > controller container before you make any password/account policy changes.
    > You can use the command net accounts on a domain controller to see the
    > current passwords policy and it should show the same on all domain
    > controllers. If problems continue run the support tools netdiag, dcdiag, and
    > gpotool on your domain controller to see if any problems are founds such as
    > with dns or replication. --- Steve
    >
    >
    > "CB" <CB@discussions.microsoft.com> wrote in message
    > news:CD5F4B73-B4B9-44A4-A7C7-4093A4C07A32@microsoft.com...
    > >I have a mixed mode Windows 2000 and 2003 AD. There are four AD servers.
    > > There is one main server I always and only use ADUC on. We recently
    > > implemented a password policy for the company. Previous it was blank
    > > passwords or anything goes pretty much. Now, it is 2 passwords remembered,
    > > 90
    > > days max age, 10 days min age and 6 char length. No complexity turned on.
    > >
    > > originally I changed the domain controller policy. Then everyone got
    > > prompted t change passwords every 42 days. Realized that was the wrong
    > > policy
    > > to be setting, so I then changed the domain policy. Every 90 it is asking
    > > them to change. problem is that they are allowed to set their password to
    > > any
    > > length including blank. If I do it as a test, and set the password to
    > > blank
    > > or 2 characters, then try and change it back to the original, it won't let
    > > me
    > > because of the 2 passwords remembered thing. But it will let me change it
    > > to
    > > something different, which it also shouldn'tdo because of the 10 day min
    > > age
    > > thing. So some of the policy is working, but the length and min age is
    > > being
    > > ignored. The length is the most imprtant one to us. We are just trying to
    > > make sure that the passwords are at least 6 characters and change every 90
    > > days.
    > >
    > > Anyone know why this is happening?
    >
    >
    >


  • Next message: Steven L Umbach: "Re: GPO Password length not working"

    Relevant Pages

    • Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies
      ... In order to prevent users from logging on at the console of the machine they ... Local Security policy or through a GPO that applies to those computers. ... This user right is defined in the Default Domain Controller Group Policy ... policy setting supercedes the Log on locally policy setting if an account is ...
      (microsoft.public.windows.server.security)
    • Re: SBS 2003 Lost all the Security Policies.
      ... i didn't use dcgpofix i used another sbs 2003 premium has example and created the policies manually. ... I know that your Default Domain Controller Security Policy or Domain Security Policy it is empty. ... DCGPOFIX.EXE will restore the Default Domain Policy and the Default Domain Controller Policy to original default settings. ...
      (microsoft.public.windows.server.sbs)
    • Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
      ... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
      ... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
      ... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
      (microsoft.public.windowsxp.setup_deployment)