Re: GPO Password length not working

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/20/05


Date: Fri, 19 Aug 2005 20:19:52 -0500

What I said was -- " For "domain users" password account policy is set
only at the domain level" meaning that is where and only where it is defined
and it will be ignored for domain users at ANY other level - local, OU, or
domain controller container.

When you run net accounts on a domain controller it should reflect what is
configured for your domain password/account policy. If it is not what you
expect then you need to do a little digging as to why.

Since you have a Windows 2003 domain controller what I would do is to run
the Resultant Set of Policy mmc snapin in logging mode for the current
logged on user/computer and then go to computer configuration/Windows
settings/security settings/password policy to see what is shows which would
be the password policy for the domain and what the source GPO is. If the
password policy is not what you want then modify the settings in the source
GPO. If problems still persist I would run the tools I mentioned netdiag,
dcdiag, and gpotool to see if any problems are found including for
replication between domain controllers that could cause password policy to
appear wrong or inconsistent after it had been changed. --- Steve

"CB" <CB@discussions.microsoft.com> wrote in message
news:A1D657BB-E8EF-417E-8437-7C027E2086AE@microsoft.com...
> OK, I'm obviously confused... I thought the way that the AD and domains
> vs.
> servers worked was that if there was a domain policy, it took precedence
> over
> the local system policy. I did the net accounts on the domain controllers
> and
> all of them reported back the local policy settings which are still set to
> defaults for a Windows 2000 Server. So is what you are saying that since
> there is a passowrd length defined at the lower level of "local policy"
> that
> the later higher priority of domain policy setting it to a length of
> something differnt is ignored? That I need to set the local policy for
> each
> domain controller to be not defined for the settings I want controlled by
> the
> domain policy?
>
> "Steven L Umbach" wrote:
>
>> For "domain users" password account policy is set only at the domain
>> level.
>> Usually this is Default Domain Policy but it can be any Group Policy
>> linked
>> to the domain container if you have more than one. Keep in mind that if
>> there is more than one Group Policy at the domain level then the one at
>> the
>> top of the list has highest priority as they are applied from bottom up.
>> Also if you have define a password/account policy setting and later set
>> it
>> to non defined the effective setting will not change.
>>
>> You need to make sure that "block inheritance" is not enable for the
>> domain
>> controller container before you make any password/account policy changes.
>> You can use the command net accounts on a domain controller to see the
>> current passwords policy and it should show the same on all domain
>> controllers. If problems continue run the support tools netdiag, dcdiag,
>> and
>> gpotool on your domain controller to see if any problems are founds such
>> as
>> with dns or replication. --- Steve
>>
>>
>> "CB" <CB@discussions.microsoft.com> wrote in message
>> news:CD5F4B73-B4B9-44A4-A7C7-4093A4C07A32@microsoft.com...
>> >I have a mixed mode Windows 2000 and 2003 AD. There are four AD servers.
>> > There is one main server I always and only use ADUC on. We recently
>> > implemented a password policy for the company. Previous it was blank
>> > passwords or anything goes pretty much. Now, it is 2 passwords
>> > remembered,
>> > 90
>> > days max age, 10 days min age and 6 char length. No complexity turned
>> > on.
>> >
>> > originally I changed the domain controller policy. Then everyone got
>> > prompted t change passwords every 42 days. Realized that was the wrong
>> > policy
>> > to be setting, so I then changed the domain policy. Every 90 it is
>> > asking
>> > them to change. problem is that they are allowed to set their password
>> > to
>> > any
>> > length including blank. If I do it as a test, and set the password to
>> > blank
>> > or 2 characters, then try and change it back to the original, it won't
>> > let
>> > me
>> > because of the 2 passwords remembered thing. But it will let me change
>> > it
>> > to
>> > something different, which it also shouldn'tdo because of the 10 day
>> > min
>> > age
>> > thing. So some of the policy is working, but the length and min age is
>> > being
>> > ignored. The length is the most imprtant one to us. We are just trying
>> > to
>> > make sure that the passwords are at least 6 characters and change every
>> > 90
>> > days.
>> >
>> > Anyone know why this is happening?
>>
>>
>>