Re: GPO Password length not working
From: CB (CB_at_discussions.microsoft.com)
Date: 08/22/05
- Next message: news_at_mail.adsl4less.com: "Re: Does the SCW break Windows Firewall?"
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: Steven L Umbach: "Re: GPO Password length not working"
- Next in thread: Steven L Umbach: "Re: GPO Password length not working"
- Reply: Steven L Umbach: "Re: GPO Password length not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Aug 2005 08:49:03 -0700
Thank you for your help so far. I am learning a bunch here. But I am
confused about one thing. When I run the RSoP on the 2003 domain controller,
then look at the password policy items, they all say undefined and there is
no source GPO. It is in logging mode and I tried with and without the user
information. I then ran the GPOtool, dcdiag and netdiag and the only
interesting thing that became of that was netdiag gives me a "failed" on the
WINS service test: The server could not be queried.
Other than that, no errors. The GPOTool found two policies, the domain and
the domain controller policies on the same 2003 server.
This seems like something simple that I'm just not seeing. If the RSoP tool
is supposed to show me the resultant policy on the domain/machine, then why
wouldn't it show either of the policies found by the GPOTool? Both of those
policies, confirmed on all four domain controllers, have defined settings for
the password.
"Steven L Umbach" wrote:
> What I said was -- " For "domain users" password account policy is set
> only at the domain level" meaning that is where and only where it is defined
> and it will be ignored for domain users at ANY other level - local, OU, or
> domain controller container.
>
> When you run net accounts on a domain controller it should reflect what is
> configured for your domain password/account policy. If it is not what you
> expect then you need to do a little digging as to why.
>
> Since you have a Windows 2003 domain controller what I would do is to run
> the Resultant Set of Policy mmc snapin in logging mode for the current
> logged on user/computer and then go to computer configuration/Windows
> settings/security settings/password policy to see what is shows which would
> be the password policy for the domain and what the source GPO is. If the
> password policy is not what you want then modify the settings in the source
> GPO. If problems still persist I would run the tools I mentioned netdiag,
> dcdiag, and gpotool to see if any problems are found including for
> replication between domain controllers that could cause password policy to
> appear wrong or inconsistent after it had been changed. --- Steve
>
>
> "CB" <CB@discussions.microsoft.com> wrote in message
> news:A1D657BB-E8EF-417E-8437-7C027E2086AE@microsoft.com...
> > OK, I'm obviously confused... I thought the way that the AD and domains
> > vs.
> > servers worked was that if there was a domain policy, it took precedence
> > over
> > the local system policy. I did the net accounts on the domain controllers
> > and
> > all of them reported back the local policy settings which are still set to
> > defaults for a Windows 2000 Server. So is what you are saying that since
> > there is a passowrd length defined at the lower level of "local policy"
> > that
> > the later higher priority of domain policy setting it to a length of
> > something differnt is ignored? That I need to set the local policy for
> > each
> > domain controller to be not defined for the settings I want controlled by
> > the
> > domain policy?
> >
> > "Steven L Umbach" wrote:
> >
> >> For "domain users" password account policy is set only at the domain
> >> level.
> >> Usually this is Default Domain Policy but it can be any Group Policy
> >> linked
> >> to the domain container if you have more than one. Keep in mind that if
> >> there is more than one Group Policy at the domain level then the one at
> >> the
> >> top of the list has highest priority as they are applied from bottom up.
> >> Also if you have define a password/account policy setting and later set
> >> it
> >> to non defined the effective setting will not change.
> >>
> >> You need to make sure that "block inheritance" is not enable for the
> >> domain
> >> controller container before you make any password/account policy changes.
> >> You can use the command net accounts on a domain controller to see the
> >> current passwords policy and it should show the same on all domain
> >> controllers. If problems continue run the support tools netdiag, dcdiag,
> >> and
> >> gpotool on your domain controller to see if any problems are founds such
> >> as
> >> with dns or replication. --- Steve
> >>
> >>
> >> "CB" <CB@discussions.microsoft.com> wrote in message
> >> news:CD5F4B73-B4B9-44A4-A7C7-4093A4C07A32@microsoft.com...
> >> >I have a mixed mode Windows 2000 and 2003 AD. There are four AD servers.
> >> > There is one main server I always and only use ADUC on. We recently
> >> > implemented a password policy for the company. Previous it was blank
> >> > passwords or anything goes pretty much. Now, it is 2 passwords
> >> > remembered,
> >> > 90
> >> > days max age, 10 days min age and 6 char length. No complexity turned
> >> > on.
> >> >
> >> > originally I changed the domain controller policy. Then everyone got
> >> > prompted t change passwords every 42 days. Realized that was the wrong
> >> > policy
> >> > to be setting, so I then changed the domain policy. Every 90 it is
> >> > asking
> >> > them to change. problem is that they are allowed to set their password
> >> > to
> >> > any
> >> > length including blank. If I do it as a test, and set the password to
> >> > blank
> >> > or 2 characters, then try and change it back to the original, it won't
> >> > let
> >> > me
> >> > because of the 2 passwords remembered thing. But it will let me change
> >> > it
> >> > to
> >> > something different, which it also shouldn'tdo because of the 10 day
> >> > min
> >> > age
> >> > thing. So some of the policy is working, but the length and min age is
> >> > being
> >> > ignored. The length is the most imprtant one to us. We are just trying
> >> > to
> >> > make sure that the passwords are at least 6 characters and change every
> >> > 90
> >> > days.
> >> >
> >> > Anyone know why this is happening?
> >>
> >>
> >>
>
>
>
- Next message: news_at_mail.adsl4less.com: "Re: Does the SCW break Windows Firewall?"
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: Steven L Umbach: "Re: GPO Password length not working"
- Next in thread: Steven L Umbach: "Re: GPO Password length not working"
- Reply: Steven L Umbach: "Re: GPO Password length not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
