Cerf
asked on
No Password account in a Windows Server 2003 domain
Hello Friends!
I Need to have an account that requires no password under a Windows Server 2003 domain. This can be done in Windows 2000 Server but I have not been able to accomplish it under WS 2003. It keeps asking for "ABC-123" passwords even when I set it to NO Password. It seems to work locally and in workgroups but not in domains.
Thanks in advance,
Carlos Eduardo.
I Need to have an account that requires no password under a Windows Server 2003 domain. This can be done in Windows 2000 Server but I have not been able to accomplish it under WS 2003. It keeps asking for "ABC-123" passwords even when I set it to NO Password. It seems to work locally and in workgroups but not in domains.
Thanks in advance,
Carlos Eduardo.
check the password policy, and disable it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
as Steven mentioned, it is due to your password policy, but the key is password complexity, DSIABLE it at Start | Programs | Administrative Tools | Local Security Policy |Security Settings | Account Policies | Password Policy | Password must meet complexity requirements
Password must meet complexity requirements
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/504.asp
hope it helps,
bbao
Password must meet complexity requirements
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/504.asp
hope it helps,
bbao
The others are correct, Win2K3 ships with the password complexity policy enforced by default as opposed to Win2K which required the user to manually enable it. Password policy is enforced at the domain level, so you'll have to disable the policy for the entire domain that this account is in.
For security reasons, the best thing to do would be to create an OU for no-password accounts, and then create and apply a GPO to that OU that disables complex password requirements. This way, you can keep the rest of your domain secure, and just users in the no-password OU will be allowed to have a blank password. You can also lock these users down seperately from teh rest of the users to assure your security goals are met.
agree with sunstoned.
Cerf, are you here with us? i suggest you try disable the Password Complexity policy at first, cofirm if it is workable and suitable in your scenario, then try sunstoned's comment to make the things professional. :)
Cerf, are you here with us? i suggest you try disable the Password Complexity policy at first, cofirm if it is workable and suitable in your scenario, then try sunstoned's comment to make the things professional. :)
ASKER
I am so sorry. I have not been able to try the solutions yet. Yes I am here! but my internet access is a little bit limited. Thanks everyone for the help. I will get back on the 7th.
ASKER
OU: Does that mean object user? I am a spanish speaker and some acronyms I can't figure out. :-(
GPO: Group Policy Object ?
Thanks
GPO: Group Policy Object ?
Thanks
Cerf, here are the definitions. in fact you may get them from windows help, just click start | help. (i am sure you can read spanish versions of them) :)
OU = Organizational Unit: An Active Directory container object used within domains. Organizational units are logical containers into which you can place users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority.
GPO = Group Policy Objects: A collection of group policy settings. Group policy objects are essentially the documents created by the Group Policy snap-in, a Windows 2000 utility. Group Policy objects are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units. In addition, each Windows 2000 computer has exactly one group of settings stored locally, called the local Group Policy object. See also Group Policy; object; policy.
OU = Organizational Unit: An Active Directory container object used within domains. Organizational units are logical containers into which you can place users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority.
GPO = Group Policy Objects: A collection of group policy settings. Group policy objects are essentially the documents created by the Group Policy snap-in, a Windows 2000 utility. Group Policy objects are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units. In addition, each Windows 2000 computer has exactly one group of settings stored locally, called the local Group Policy object. See also Group Policy; object; policy.
Sunstoned, please read my post above yours. Password policy can not be defined at the OU level if there is a domain policy already enforced. Domain password policy overrides any lower level settings, setting this type of policy on an OU will have no effect.
Disabling all password policy at the domain level(and replacing "enpasfilt.dll" that enforces the complexity on all DCs), then applying a policy to a particular OU will work since OU password policy can override local policy, but weakening the security of the entire domain to accomodate one account isn't a good idea.
The only real solution is to create either a sub-domain or a second domain in your forest for these accounts and changing the password policy for that domain. I know that sounds like a lot of trouble, and it is, but this is a hold-over from the NT4 days.
Disabling all password policy at the domain level(and replacing "enpasfilt.dll" that enforces the complexity on all DCs), then applying a policy to a particular OU will work since OU password policy can override local policy, but weakening the security of the entire domain to accomodate one account isn't a good idea.
The only real solution is to create either a sub-domain or a second domain in your forest for these accounts and changing the password policy for that domain. I know that sounds like a lot of trouble, and it is, but this is a hold-over from the NT4 days.
"Sunstoned, please read my post above yours. Password policy can not be defined at the OU level if there is a domain policy already enforced. Domain password policy overrides any lower level settings, setting this type of policy on an OU will have no effect. "
Can't one create an OU that blocks GPO inhereitence from the domain, then create a GPO for no-password-complexity at the OU level and choose the "no override" option to enfoce the policy to just that OU?
Also, you raised a good point... if the blank-password user(s) will only be using one or two workstations, can you just have the user(s) log on locally?
Can't one create an OU that blocks GPO inhereitence from the domain, then create a GPO for no-password-complexity at the OU level and choose the "no override" option to enfoce the policy to just that OU?
Also, you raised a good point... if the blank-password user(s) will only be using one or two workstations, can you just have the user(s) log on locally?
No, unfortunately password policy isn't handled the same as everything else GPO related. Password policy is actually defined on the DC, whatever the setting is on the DC(domain level) will be the one enforced. Password policy defined at lower levels is ignored.
Local user acounts would be preferable, I'd never recommend lowering the domain security level to accomodate the lowest common denominator. There is always another way to do it.
Local user acounts would be preferable, I'd never recommend lowering the domain security level to accomodate the lowest common denominator. There is always another way to do it.
ASKER
Thanks everyone for the help. It worked out. I am now going back to work.
I learned a lot form this!
Thanks again
Cërf.
I learned a lot form this!
Thanks again
Cërf.
Glad we could help!!