Re: GPO Password length not working

From: CB (
Date: 08/20/05

  • Next message: Steven L Umbach: "Re: GPO Password length not working"
    Date: Fri, 19 Aug 2005 17:47:31 -0700

    OK, I'm obviously confused... I thought the way that the AD and domains vs.
    servers worked was that if there was a domain policy, it took precedence over
    the local system policy. I did the net accounts on the domain controllers and
    all of them reported back the local policy settings which are still set to
    defaults for a Windows 2000 Server. So is what you are saying that since
    there is a passowrd length defined at the lower level of "local policy" that
    the later higher priority of domain policy setting it to a length of
    something differnt is ignored? That I need to set the local policy for each
    domain controller to be not defined for the settings I want controlled by the
    domain policy?

    "Steven L Umbach" wrote:

    > For "domain users" password account policy is set only at the domain level.
    > Usually this is Default Domain Policy but it can be any Group Policy linked
    > to the domain container if you have more than one. Keep in mind that if
    > there is more than one Group Policy at the domain level then the one at the
    > top of the list has highest priority as they are applied from bottom up.
    > Also if you have define a password/account policy setting and later set it
    > to non defined the effective setting will not change.
    > You need to make sure that "block inheritance" is not enable for the domain
    > controller container before you make any password/account policy changes.
    > You can use the command net accounts on a domain controller to see the
    > current passwords policy and it should show the same on all domain
    > controllers. If problems continue run the support tools netdiag, dcdiag, and
    > gpotool on your domain controller to see if any problems are founds such as
    > with dns or replication. --- Steve
    > "CB" <> wrote in message
    > >I have a mixed mode Windows 2000 and 2003 AD. There are four AD servers.
    > > There is one main server I always and only use ADUC on. We recently
    > > implemented a password policy for the company. Previous it was blank
    > > passwords or anything goes pretty much. Now, it is 2 passwords remembered,
    > > 90
    > > days max age, 10 days min age and 6 char length. No complexity turned on.
    > >
    > > originally I changed the domain controller policy. Then everyone got
    > > prompted t change passwords every 42 days. Realized that was the wrong
    > > policy
    > > to be setting, so I then changed the domain policy. Every 90 it is asking
    > > them to change. problem is that they are allowed to set their password to
    > > any
    > > length including blank. If I do it as a test, and set the password to
    > > blank
    > > or 2 characters, then try and change it back to the original, it won't let
    > > me
    > > because of the 2 passwords remembered thing. But it will let me change it
    > > to
    > > something different, which it also shouldn'tdo because of the 10 day min
    > > age
    > > thing. So some of the policy is working, but the length and min age is
    > > being
    > > ignored. The length is the most imprtant one to us. We are just trying to
    > > make sure that the passwords are at least 6 characters and change every 90
    > > days.
    > >
    > > Anyone know why this is happening?

  • Next message: Steven L Umbach: "Re: GPO Password length not working"