Re: GPO Password length not working

• Previous message: Martin: "Several questions on code signing / smartcards / Win CA"
• In reply to: Steven L Umbach: "Re: GPO Password length not working"
• Next in thread: Steven L Umbach: "Re: GPO Password length not working"
• Reply: Steven L Umbach: "Re: GPO Password length not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Aug 2005 07:53:04 -0700

This gets weirder by the minute. OK, I was at another client and was asking
my contact there about it and so we went into the RSoP and looked at their
setup. We connected to a workstation and selected a user from the profiles, I
guess that's what that list is from, and then looked at the password stuff
and it showed the settings and where the GPO came from, just like it should.

So then I tried that on this setup. I loaded the RSoP and selected a
workstation this time, of the 10 I tried, it only let me connect to one
without an error. All the others (all XP) gave me an 'RCP Server is
unavailable' error and to make sure that WMI is running on the workstation.
I checked and it is running. Anyway, on one it did work and I selected the
user and all the password settings were "NOT DEFINED" and the GPO column was
again blank.

So I followed your instructions below and went to make sure the policies are
where they should be and the groups are thee. I use the group called
'GPO-Applied' rather than Authenticated Users because some of the policies I
don't want applied to all people. They are there and the group has read and
Apply this policy rights. No group listed had deny. Then I went and opened
the GptTmpl file you told me about on another DC from the 2003 DC and it
opened just fine and I found the password settings and they are there. Just
like they should be. Now I'm really confused.

I also want to reiterate that there are somethings in the policy that are
working. Remeber that if you change your password and then try and change it
back to the one it was before, it won't let you. I have remeber 2 passwords
set and that part is working, even though all the RSoP seetings state that
all the settings are not defined.

Should I follow that link you sent and reset the policy back to scratch and
start over? Is my GptTmpl file corrupt or something? I'm at a loss. Even at
the other client I mentioned in the beginning of this reply, they are using
OU containers and have different policies based on container like you are
supposed to be able to do but I have read in many places DO NOT work. It
works for them. He's got all kinds of different policies working all over the
tree. I can't even get the password length to work for one user. Arrrggghh!
: )

"Steven L Umbach" wrote:

> Interesting. Double check the default domain Group Policy is linked to the
> domain container and that the default domain controller Group Policy is
> linked to the domain controller container and that your domain controllers
> are in the domain controller container. Also verify the permissions for
> those two Group Policies to make sure that authenticated users have read and
> apply permissions and that there are no groups that have deny permissions
> that may interfere with Group Policy implementation.
>
> I just ran RSOP on a Windows 2003 domain controller using the domain
> controller as the computer to analyze and it shows all my password settings
> as defined and from the default domain GPO. The error for wins in netdiag is
> trivial [unless you are having wins problems] for your situation if
> everything else looks good. See if you can access the sysvol share of a
> domain controller from another domain controller in My Network Places and go
> to the GptTmpl file to see if you can open it and if it shows any
> password/account policy settings. The link below shows how to access the
> GptTmpl file for the domain.
>
> http://support.microsoft.com/?kbid=226243
>
> Another thing I would try is to create a new Group Policy linked to the
> domain container, place it at the top of the list, and configure
> password/account policy settings to see if that works. --- Steve
>
> "CB" <CB@discussions.microsoft.com> wrote in message
> news:6976CD25-A047-430C-8B59-4523E71585B0@microsoft.com...
> > Thank you for your help so far. I am learning a bunch here. But I am
> > confused about one thing. When I run the RSoP on the 2003 domain
> > controller,
> > then look at the password policy items, they all say undefined and there
> > is
> > no source GPO. It is in logging mode and I tried with and without the user
> > information. I then ran the GPOtool, dcdiag and netdiag and the only
> > interesting thing that became of that was netdiag gives me a "failed" on
> > the
> > WINS service test: The server could not be queried.
> > Other than that, no errors. The GPOTool found two policies, the domain and
> > the domain controller policies on the same 2003 server.
> >
> > This seems like something simple that I'm just not seeing. If the RSoP
> > tool
> > is supposed to show me the resultant policy on the domain/machine, then
> > why
> > wouldn't it show either of the policies found by the GPOTool? Both of
> > those
> > policies, confirmed on all four domain controllers, have defined settings
> > for
> > the password.
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> What I said was -- " For "domain users" password account policy is set
> >> only at the domain level" meaning that is where and only where it is
> >> defined
> >> and it will be ignored for domain users at ANY other level - local, OU,
> >> or
> >> domain controller container.
> >>
> >> When you run net accounts on a domain controller it should reflect what
> >> is
> >> configured for your domain password/account policy. If it is not what you
> >> expect then you need to do a little digging as to why.
> >>
> >> Since you have a Windows 2003 domain controller what I would do is to run
> >> the Resultant Set of Policy mmc snapin in logging mode for the current
> >> logged on user/computer and then go to computer configuration/Windows
> >> settings/security settings/password policy to see what is shows which
> >> would
> >> be the password policy for the domain and what the source GPO is. If the
> >> password policy is not what you want then modify the settings in the
> >> source
> >> GPO. If problems still persist I would run the tools I mentioned netdiag,
> >> dcdiag, and gpotool to see if any problems are found including for
> >> replication between domain controllers that could cause password policy
> >> to
> >> appear wrong or inconsistent after it had been changed. --- Steve
> >>
> >>
> >> "CB" <CB@discussions.microsoft.com> wrote in message
> >> news:A1D657BB-E8EF-417E-8437-7C027E2086AE@microsoft.com...
> >> > OK, I'm obviously confused... I thought the way that the AD and domains
> >> > vs.
> >> > servers worked was that if there was a domain policy, it took
> >> > precedence
> >> > over
> >> > the local system policy. I did the net accounts on the domain
> >> > controllers
> >> > and
> >> > all of them reported back the local policy settings which are still set
> >> > to
> >> > defaults for a Windows 2000 Server. So is what you are saying that
> >> > since
> >> > there is a passowrd length defined at the lower level of "local policy"
> >> > that
> >> > the later higher priority of domain policy setting it to a length of
> >> > something differnt is ignored? That I need to set the local policy for
> >> > each
> >> > domain controller to be not defined for the settings I want controlled
> >> > by
> >> > the
> >> > domain policy?
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> For "domain users" password account policy is set only at the domain
> >> >> level.
> >> >> Usually this is Default Domain Policy but it can be any Group Policy
> >> >> linked
> >> >> to the domain container if you have more than one. Keep in mind that
> >> >> if
> >> >> there is more than one Group Policy at the domain level then the one
> >> >> at
> >> >> the
> >> >> top of the list has highest priority as they are applied from bottom
> >> >> up.
> >> >> Also if you have define a password/account policy setting and later
> >> >> set
> >> >> it
> >> >> to non defined the effective setting will not change.
> >> >>
> >> >> You need to make sure that "block inheritance" is not enable for the
> >> >> domain
> >> >> controller container before you make any password/account policy
> >> >> changes.
> >> >> You can use the command net accounts on a domain controller to see the
> >> >> current passwords policy and it should show the same on all domain
> >> >> controllers. If problems continue run the support tools netdiag,
> >> >> dcdiag,
> >> >> and
> >> >> gpotool on your domain controller to see if any problems are founds
> >> >> such
> >> >> as
> >> >> with dns or replication. --- Steve
> >> >>
> >> >>
> >> >> "CB" <CB@discussions.microsoft.com> wrote in message
> >> >> news:CD5F4B73-B4B9-44A4-A7C7-4093A4C07A32@microsoft.com...
> >> >> >I have a mixed mode Windows 2000 and 2003 AD. There are four AD
> >> >> >servers.
> >> >> > There is one main server I always and only use ADUC on. We recently
> >> >> > implemented a password policy for the company. Previous it was blank
> >> >> > passwords or anything goes pretty much. Now, it is 2 passwords
> >> >> > remembered,
> >> >> > 90
> >> >> > days max age, 10 days min age and 6 char length. No complexity
> >> >> > turned
> >> >> > on.
> >> >> >
> >> >> > originally I changed the domain controller policy. Then everyone got
> >> >> > prompted t change passwords every 42 days. Realized that was the
> >> >> > wrong
> >> >> > policy
> >> >> > to be setting, so I then changed the domain policy. Every 90 it is
> >> >> > asking
> >> >> > them to change. problem is that they are allowed to set their
> >> >> > password
> >> >> > to
> >> >> > any
> >> >> > length including blank. If I do it as a test, and set the password
> >> >> > to
> >> >> > blank
> >> >> > or 2 characters, then try and change it back to the original, it
> >> >> > won't
> >> >> > let
> >> >> > me
> >> >> > because of the 2 passwords remembered thing. But it will let me
> >> >> > change
> >> >> > it
> >> >> > to
> >> >> > something different, which it also shouldn'tdo because of the 10 day
> >> >> > min
> >> >> > age
> >> >> > thing. So some of the policy is working, but the length and min age
> >> >> > is
> >> >> > being
> >> >> > ignored. The length is the most imprtant one to us. We are just
> >> >> > trying
> >> >> > to
> >> >> > make sure that the passwords are at least 6 characters and change
> >> >> > every
> >> >> > 90
> >> >> > days.
> >> >> >
> >> >> > Anyone know why this is happening?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

• Previous message: Martin: "Several questions on code signing / smartcards / Win CA"
• In reply to: Steven L Umbach: "Re: GPO Password length not working"
• Next in thread: Steven L Umbach: "Re: GPO Password length not working"
• Reply: Steven L Umbach: "Re: GPO Password length not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]