We are running a native 2003 domain. (Test lab and production) I have a GPO to change the minimum password length from the default of 7 to 15 characters.
As you may know, that to accomplish this I needed to change the minPwdLength setting using ADSIEDIT. As soon as I changed that to 15 (Default is 14) we get 1202 and 1058 errors on the workstations in both the lab and production environments.
1202 - SceClie - Security policies were propagated with warning. 0x57 : The parameter is incorrect. 1085 - Userenv - The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.
All workstations or XPXSP2 and the servers are 2003 SP2. (Latest updates and patches as well.) Test lab is 100% clean, (Brand new domain.)
If I change it back to 14, the errors go away. This is easily reproducible in the test lab. Any thoughts on what I need to do to the workstations to eliminate the errors?
Ok, you need to stay out of ADSIEdit for this. Changing attributes directly like this is not recommended.
Find the GUID associated with your domain policy. Drill down into %systemroot%\SYSVOL\domain\policies\{GUID of Default Domain Policy}\MACHINE\Microsoft\WindowsNT\SecEdit Open GptTmpl.inf with Notepad - be sure not to associate Notepad permanently!!!! Change the value of MinimumPasswordLength to 15 Save it. Increment the the value for the version number in GPT.ini in the folder %systemroot%\SYSVOL\domain\policies\{GUID of Default Domain Policy} by, say, 5 to ensure no collisions. Save it. Allow the policies to refresh or run Gpudate /force.
The issue is more than simply collisions. If you make that change in the Schema directly, then the above-mentioned files (basically your Default Domain Policy) are no longer in agreement with the settings.
I have made the changes as recommended above, replicated and tested. The workstation is still displaying the 1202 and 1058 error messages as soon as I make the change and run GPUDATE. If I back out of the changes, the error goes away.
I tried a few different combinations of changing on one server or the other and replicating etc. Still no luck. GPT.INI was incremented accordingly and replicated as expected.
The value in the GptTmpl.inf and ADSIEDIT do not match however. The value in ADSIEDT stays the same when I change the GptTmpl.inf value. Currently the value is at 14. (That may be a red herring though.) If I make the password length 15 in either location either separately or together, the errors still occur. Currently the minPwdLength is set to 8.
Security policies were propagated with warning. 0x57 : The parameter is incorrect.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
The ForceLogoffWhenHourExpire message "Configure account force logoff information." is a normal message and not an error. The error is really the password setting.
Error 87: The parameter is incorrect. Error configuring password information.
Theoretically, you should be able to increase the minimum via the method I posted earlier. It seems, however, that your setup isn't happy with this. I haven't got anything here ready to test this or I'd gladly do so.
Maybe you nead to rebuild secedit.sdb If it's corrupt it can be tested with esentutl /g %windir%\security\atabase\secedit.sdb Try to rename %windir%\security\database\secedit.sdb or repair it with esentutl/p and reboot to recreate the secedit.sdb
My thaught was that if trying to change to a value that normal isn't supported could maybe be treated to be a corrupt/inconsistent value compared to the definition of the database. Other errors with eventid=1202 can been solved this way, so it's worth a try.
I do believe that this change is supported by MS. I ran an inteirty check which came back as being OK. I then ran a repair for giggles, it too completed successfuly. The errors are still occuring. Any new thoughts?
