Re: GPO Password length not working
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/25/05
- Next message: Olaf Engelke [MVP Windows Server]: "Re: Multiple Logon Prompts"
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: CB: "Re: GPO Password length not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 13:32:26 -0500
The errors running RSOP in logging mode on the XP Pro computers could be
because the computer is not turned on and/or the built in Windows firewall
is enabled without the exception for file and print sharing but I don't
think that is your core problem.
You certainly can use different Group Policies for different OU's for users
and computers however for "domain users" password/account policy can be
configured at the domain level. If it is defined at the OU level then it
will apply only to "local" user accounts on the domain computer in the OU
where it is defined. Try creating a test OU with a new GP linked to it with
default permissions. Configure some settings for both user and computer
configuration in that GP. Place a test computer and user in that OU. Reboot
the computer in that OU, logon as the test user and use the support tool
gpresult to see if the new GP shows as being applied. That will help
determine if you have a deeper problem related to Group Policy in your
domain or just with the domain GP and password policy.
Have you run netdiag on a couple of domain workstations and do they all
report no problems? Does the command net accounts show the same password
settings on all the domain controllers??
You mention that you are using Group Policy filtering by using groups other
than authenticated users. Keep in mind that password/account policy is
"computer configuration" and that domain controllers need the read and apply
permission for the domain GP which by default would be through membership in
authenticated users group. I would also try creating a new GP for the domain
container, place it at the top of the list, leave permissions at the default
setting, and configure on the password settings you want for domain users,
refresh the GP on the dc or wait at least five minutes to see if that works.
I tend to doubt that your domain GP is corrupt unless events in the system
or application logs would indicate such. Also make sure that you have proper
share and ntfs permissions on the sysvol share comparing to other domain
controllers in domain that are not having GP problems but they should have
at least system/administrators full control for ntfs and administrators full
and authenticated users read for the share. --- Steve
"CB" <CB@discussions.microsoft.com> wrote in message
news:C825AF05-F587-4D94-AA49-BBD053186950@microsoft.com...
> This gets weirder by the minute. OK, I was at another client and was
> asking
> my contact there about it and so we went into the RSoP and looked at their
> setup. We connected to a workstation and selected a user from the
> profiles, I
> guess that's what that list is from, and then looked at the password stuff
> and it showed the settings and where the GPO came from, just like it
> should.
>
> So then I tried that on this setup. I loaded the RSoP and selected a
> workstation this time, of the 10 I tried, it only let me connect to one
> without an error. All the others (all XP) gave me an 'RCP Server is
> unavailable' error and to make sure that WMI is running on the
> workstation.
> I checked and it is running. Anyway, on one it did work and I selected the
> user and all the password settings were "NOT DEFINED" and the GPO column
> was
> again blank.
>
> So I followed your instructions below and went to make sure the policies
> are
> where they should be and the groups are thee. I use the group called
> 'GPO-Applied' rather than Authenticated Users because some of the policies
> I
> don't want applied to all people. They are there and the group has read
> and
> Apply this policy rights. No group listed had deny. Then I went and opened
> the GptTmpl file you told me about on another DC from the 2003 DC and it
> opened just fine and I found the password settings and they are there.
> Just
> like they should be. Now I'm really confused.
>
> I also want to reiterate that there are somethings in the policy that are
> working. Remeber that if you change your password and then try and change
> it
> back to the one it was before, it won't let you. I have remeber 2
> passwords
> set and that part is working, even though all the RSoP seetings state that
> all the settings are not defined.
>
> Should I follow that link you sent and reset the policy back to scratch
> and
> start over? Is my GptTmpl file corrupt or something? I'm at a loss. Even
> at
> the other client I mentioned in the beginning of this reply, they are
> using
> OU containers and have different policies based on container like you are
> supposed to be able to do but I have read in many places DO NOT work. It
> works for them. He's got all kinds of different policies working all over
> the
> tree. I can't even get the password length to work for one user.
> Arrrggghh!
> : )
>
> "Steven L Umbach" wrote:
>
>> Interesting. Double check the default domain Group Policy is linked to
>> the
>> domain container and that the default domain controller Group Policy is
>> linked to the domain controller container and that your domain
>> controllers
>> are in the domain controller container. Also verify the permissions for
>> those two Group Policies to make sure that authenticated users have read
>> and
>> apply permissions and that there are no groups that have deny permissions
>> that may interfere with Group Policy implementation.
>>
>> I just ran RSOP on a Windows 2003 domain controller using the domain
>> controller as the computer to analyze and it shows all my password
>> settings
>> as defined and from the default domain GPO. The error for wins in netdiag
>> is
>> trivial [unless you are having wins problems] for your situation if
>> everything else looks good. See if you can access the sysvol share of a
>> domain controller from another domain controller in My Network Places and
>> go
>> to the GptTmpl file to see if you can open it and if it shows any
>> password/account policy settings. The link below shows how to access the
>> GptTmpl file for the domain.
>>
>> http://support.microsoft.com/?kbid=226243
>>
>> Another thing I would try is to create a new Group Policy linked to the
>> domain container, place it at the top of the list, and configure
>> password/account policy settings to see if that works. --- Steve
>>
>> "CB" <CB@discussions.microsoft.com> wrote in message
>> news:6976CD25-A047-430C-8B59-4523E71585B0@microsoft.com...
>> > Thank you for your help so far. I am learning a bunch here. But I am
>> > confused about one thing. When I run the RSoP on the 2003 domain
>> > controller,
>> > then look at the password policy items, they all say undefined and
>> > there
>> > is
>> > no source GPO. It is in logging mode and I tried with and without the
>> > user
>> > information. I then ran the GPOtool, dcdiag and netdiag and the only
>> > interesting thing that became of that was netdiag gives me a "failed"
>> > on
>> > the
>> > WINS service test: The server could not be queried.
>> > Other than that, no errors. The GPOTool found two policies, the domain
>> > and
>> > the domain controller policies on the same 2003 server.
>> >
>> > This seems like something simple that I'm just not seeing. If the RSoP
>> > tool
>> > is supposed to show me the resultant policy on the domain/machine, then
>> > why
>> > wouldn't it show either of the policies found by the GPOTool? Both of
>> > those
>> > policies, confirmed on all four domain controllers, have defined
>> > settings
>> > for
>> > the password.
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> What I said was -- " For "domain users" password account policy is
>> >> set
>> >> only at the domain level" meaning that is where and only where it is
>> >> defined
>> >> and it will be ignored for domain users at ANY other level - local,
>> >> OU,
>> >> or
>> >> domain controller container.
>> >>
>> >> When you run net accounts on a domain controller it should reflect
>> >> what
>> >> is
>> >> configured for your domain password/account policy. If it is not what
>> >> you
>> >> expect then you need to do a little digging as to why.
>> >>
>> >> Since you have a Windows 2003 domain controller what I would do is to
>> >> run
>> >> the Resultant Set of Policy mmc snapin in logging mode for the current
>> >> logged on user/computer and then go to computer configuration/Windows
>> >> settings/security settings/password policy to see what is shows which
>> >> would
>> >> be the password policy for the domain and what the source GPO is. If
>> >> the
>> >> password policy is not what you want then modify the settings in the
>> >> source
>> >> GPO. If problems still persist I would run the tools I mentioned
>> >> netdiag,
>> >> dcdiag, and gpotool to see if any problems are found including for
>> >> replication between domain controllers that could cause password
>> >> policy
>> >> to
>> >> appear wrong or inconsistent after it had been changed. --- Steve
>> >>
>> >>
>> >> "CB" <CB@discussions.microsoft.com> wrote in message
>> >> news:A1D657BB-E8EF-417E-8437-7C027E2086AE@microsoft.com...
>> >> > OK, I'm obviously confused... I thought the way that the AD and
>> >> > domains
>> >> > vs.
>> >> > servers worked was that if there was a domain policy, it took
>> >> > precedence
>> >> > over
>> >> > the local system policy. I did the net accounts on the domain
>> >> > controllers
>> >> > and
>> >> > all of them reported back the local policy settings which are still
>> >> > set
>> >> > to
>> >> > defaults for a Windows 2000 Server. So is what you are saying that
>> >> > since
>> >> > there is a passowrd length defined at the lower level of "local
>> >> > policy"
>> >> > that
>> >> > the later higher priority of domain policy setting it to a length of
>> >> > something differnt is ignored? That I need to set the local policy
>> >> > for
>> >> > each
>> >> > domain controller to be not defined for the settings I want
>> >> > controlled
>> >> > by
>> >> > the
>> >> > domain policy?
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> For "domain users" password account policy is set only at the
>> >> >> domain
>> >> >> level.
>> >> >> Usually this is Default Domain Policy but it can be any Group
>> >> >> Policy
>> >> >> linked
>> >> >> to the domain container if you have more than one. Keep in mind
>> >> >> that
>> >> >> if
>> >> >> there is more than one Group Policy at the domain level then the
>> >> >> one
>> >> >> at
>> >> >> the
>> >> >> top of the list has highest priority as they are applied from
>> >> >> bottom
>> >> >> up.
>> >> >> Also if you have define a password/account policy setting and later
>> >> >> set
>> >> >> it
>> >> >> to non defined the effective setting will not change.
>> >> >>
>> >> >> You need to make sure that "block inheritance" is not enable for
>> >> >> the
>> >> >> domain
>> >> >> controller container before you make any password/account policy
>> >> >> changes.
>> >> >> You can use the command net accounts on a domain controller to see
>> >> >> the
>> >> >> current passwords policy and it should show the same on all domain
>> >> >> controllers. If problems continue run the support tools netdiag,
>> >> >> dcdiag,
>> >> >> and
>> >> >> gpotool on your domain controller to see if any problems are founds
>> >> >> such
>> >> >> as
>> >> >> with dns or replication. --- Steve
>> >> >>
>> >> >>
>> >> >> "CB" <CB@discussions.microsoft.com> wrote in message
>> >> >> news:CD5F4B73-B4B9-44A4-A7C7-4093A4C07A32@microsoft.com...
>> >> >> >I have a mixed mode Windows 2000 and 2003 AD. There are four AD
>> >> >> >servers.
>> >> >> > There is one main server I always and only use ADUC on. We
>> >> >> > recently
>> >> >> > implemented a password policy for the company. Previous it was
>> >> >> > blank
>> >> >> > passwords or anything goes pretty much. Now, it is 2 passwords
>> >> >> > remembered,
>> >> >> > 90
>> >> >> > days max age, 10 days min age and 6 char length. No complexity
>> >> >> > turned
>> >> >> > on.
>> >> >> >
>> >> >> > originally I changed the domain controller policy. Then everyone
>> >> >> > got
>> >> >> > prompted t change passwords every 42 days. Realized that was the
>> >> >> > wrong
>> >> >> > policy
>> >> >> > to be setting, so I then changed the domain policy. Every 90 it
>> >> >> > is
>> >> >> > asking
>> >> >> > them to change. problem is that they are allowed to set their
>> >> >> > password
>> >> >> > to
>> >> >> > any
>> >> >> > length including blank. If I do it as a test, and set the
>> >> >> > password
>> >> >> > to
>> >> >> > blank
>> >> >> > or 2 characters, then try and change it back to the original, it
>> >> >> > won't
>> >> >> > let
>> >> >> > me
>> >> >> > because of the 2 passwords remembered thing. But it will let me
>> >> >> > change
>> >> >> > it
>> >> >> > to
>> >> >> > something different, which it also shouldn'tdo because of the 10
>> >> >> > day
>> >> >> > min
>> >> >> > age
>> >> >> > thing. So some of the policy is working, but the length and min
>> >> >> > age
>> >> >> > is
>> >> >> > being
>> >> >> > ignored. The length is the most imprtant one to us. We are just
>> >> >> > trying
>> >> >> > to
>> >> >> > make sure that the passwords are at least 6 characters and change
>> >> >> > every
>> >> >> > 90
>> >> >> > days.
>> >> >> >
>> >> >> > Anyone know why this is happening?
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Olaf Engelke [MVP Windows Server]: "Re: Multiple Logon Prompts"
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: CB: "Re: GPO Password length not working"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
