Re: GPO Password length not working
From: CB (CB_at_discussions.microsoft.com)
Date: Fri, 19 Aug 2005 17:47:31 -0700
OK, I'm obviously confused... I thought the way that the AD and domains vs.
servers worked was that if there was a domain policy, it took precedence over
the local system policy. I did the net accounts on the domain controllers and
all of them reported back the local policy settings which are still set to
defaults for a Windows 2000 Server. So is what you are saying that since
there is a passowrd length defined at the lower level of "local policy" that
the later higher priority of domain policy setting it to a length of
something differnt is ignored? That I need to set the local policy for each
domain controller to be not defined for the settings I want controlled by the
"Steven L Umbach" wrote:
> For "domain users" password account policy is set only at the domain level.
> Usually this is Default Domain Policy but it can be any Group Policy linked
> to the domain container if you have more than one. Keep in mind that if
> there is more than one Group Policy at the domain level then the one at the
> top of the list has highest priority as they are applied from bottom up.
> Also if you have define a password/account policy setting and later set it
> to non defined the effective setting will not change.
> You need to make sure that "block inheritance" is not enable for the domain
> controller container before you make any password/account policy changes.
> You can use the command net accounts on a domain controller to see the
> current passwords policy and it should show the same on all domain
> controllers. If problems continue run the support tools netdiag, dcdiag, and
> gpotool on your domain controller to see if any problems are founds such as
> with dns or replication. --- Steve
> "CB" <CB@discussions.microsoft.com> wrote in message
> >I have a mixed mode Windows 2000 and 2003 AD. There are four AD servers.
> > There is one main server I always and only use ADUC on. We recently
> > implemented a password policy for the company. Previous it was blank
> > passwords or anything goes pretty much. Now, it is 2 passwords remembered,
> > 90
> > days max age, 10 days min age and 6 char length. No complexity turned on.
> > originally I changed the domain controller policy. Then everyone got
> > prompted t change passwords every 42 days. Realized that was the wrong
> > policy
> > to be setting, so I then changed the domain policy. Every 90 it is asking
> > them to change. problem is that they are allowed to set their password to
> > any
> > length including blank. If I do it as a test, and set the password to
> > blank
> > or 2 characters, then try and change it back to the original, it won't let
> > me
> > because of the 2 passwords remembered thing. But it will let me change it
> > to
> > something different, which it also shouldn'tdo because of the 10 day min
> > age
> > thing. So some of the policy is working, but the length and min age is
> > being
> > ignored. The length is the most imprtant one to us. We are just trying to
> > make sure that the passwords are at least 6 characters and change every 90
> > days.
> > Anyone know why this is happening?