Re: GPO - password policy - Urgent
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 2 Feb 2006 13:54:13 -0600
When you enable password complexity it only applies to the next password
change and should not interfere with a users ability to logon with a
password that does not meet complexity requirements so something else is
going on. Set password complexity to "disabled" - NOT undefined in Domain
Security Policy. Run gpupdate on the domain controller and then try to
create a new user account and give it a simple password to see if you can do
it or not. That would let you know if password complexity is still enforced
or not. You can also use the mmc snapin for Resultant Set of Policy [again
assuming Windows 2003] in logging mode on the domain controller to see what
it shows for password policy including complexity and what GPO is enforcing
it in the "source GPO" column.
Also I would make sure that your DNS is correctly configured in the domain
or you will have problems with domain controller replication. Group Policy,
and user logon from W2000/2003/XP Pro computers. See the link below to
verify that your DNS is correctly configured in the domain with the biggest
problems being that domain controllers are not pointing only to themselves
via their static IP address and/or other domain controller running dns with
their domain zone, that domain controllers are multi homed or rras servers
also, or domain client computers are not pointing to only domain controllers
as their preferred dns servers as shown via Ipconfig /all. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
DNS FAQ
"Fernando Mantovani" <femantovani@xxxxxxxxxxxx> wrote in message
news:%23IV3Q$CKGHA.916@xxxxxxxxxxxxxxxxxxxxxxx
Steve, another question... In the real situation, I let the enterprise
admin account with a non-secure password like "pass" and the default
domain policy asking all users with a complex password, like
"Password2006"
With the enterprise admin account I log on 98 machines, and with other
users I can`t log.
So, I decided to disable pass complexity in default domain policy, but I
do this, and effectily it doesn`t change. I did this a hundred times, and
I did this now in my test lab, and it works! But in the enterprise that
I'm installing the new domain it doesn`t change...
This is so easy..... =(
Do you have any idea?
Tks
Fernando
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:utCQKECKGHA.668@xxxxxxxxxxxxxxxxxxxxxxx
That is curious that you are having a problem with Windows 98 since I
would think Windows 98 would work with any password up to 14 characters
but I don't have a Windows 98 computer handy to try out such. I know that
if you disable storage of LM hashes you can have problems with Windows 98
computers if you also enforced that recently in which is done via a
security option for Windows 2003 domain controllers in either Local
Security Policy [secpol.msc] or Domain Controller Security Policy or a
registry entry for Windows 2000 domain controllers. You may also have
problems if you configure lan manager authentication level security
option to be too secure for domain controllers such as use ntlmv2 only
refuse lm or refuse lm and ntlm when using Windows 98 computers in the
domain. To disable password complexity you set it to disabled in Domain
Security Policy or whatever domain level GPO that is applying password
policy. The link below explains some of the problems you can have with
downlevel clients such as Windows 98 with certain security option
settings. So what I would do is to check lan manager authentication
level for domain controllers and make sure storage of lm hashes is not
disabled to see if that helps or not and check the KB article for other
possible incompatibilities and I really doubt it is related to password
complexity if the minimum password length is 7 characters and the user is
not trying to use a password over 14 characters. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656 ---
info on disabling lm hash
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869 --- lan
manager authentication level
"Fernando Mantovani" <femantovani@xxxxxxxxxxxx> wrote in message
news:eSWTKaBKGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
I`m really desperate!!!
I have installed a new domain, with XP and 98 workstatioins. Everythings
works fine!
So, I changed the password policy to enable complexity with a minimum of
7
characters. Only after this I saw that 98 can`t use password complexity,
he
only accepts with dsclient.exe and a dword in the registry to force
NTLMv2
authentication (I tried this too, but with this setting, I can`t log on
even
with the enterprise admin (that has temporarily a simple password)).
So, my problem is that I changed the default domain policy to disable
password complexity but I can`t change to a simple password in any
users of
my domain.
Is there a way to reset to "default" the default domain policy and the
default controller domain policy?
Someon has any ideas??
Tks!
.
- References:
- GPO - password policy - Urgent
- From: Fernando Mantovani
- Re: GPO - password policy - Urgent
- From: Steven L Umbach
- Re: GPO - password policy - Urgent
- From: Fernando Mantovani
- GPO - password policy - Urgent
- Prev by Date: Re: GPO - password policy - Urgent
- Next by Date: Re: Trying to create and debug ASP.NET on Windows 2003 Server
- Previous by thread: Re: GPO - password policy - Urgent
- Next by thread: Prevent printing JPG files
- Index(es):
Relevant Pages
|
