?
Solved

Unable to change password due to complexity requirement restrictions.

Posted on 2005-03-29
7
Medium Priority
?
404 Views
Last Modified: 2009-07-29
We have a Server 2003 enviornament with XP Pro clients.  We have a group policy that has the following settings:

Enforce password history:  3 passwords remembered
Max password age:  90 days
Min password age:  0 days  (used to be 30 days briefly)
Min password length:  8 characters
Password must meet complexity requirements:  Enabled

We ran gpupdate /force on the workstations and it still will not let us change the passwords until 30 days are up
We ran RSOP on these machines and it shows no 30 day requirement.  What can we do?
0
Comment
Question by:gbisker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 13652602
It won't help you anything to run gpupdate or RSOP on the *client* machines.
The password policy affects only DCs, as the accounts are domain accounts (that's the reason you can only have one password policy per domain, btw).
So run the gpupdate on the DCs, and check if the policy is applied on them.
0
 

Expert Comment

by:jamie177
ID: 13652619
Is your RSOP currerent?  Make sure, at the top of the report, that "Date Collected on:" is the current date, not the date of an old query.  You can right click in the right pane of RSOP and run the query again.

Did the workstaion reboot?  Computer policy is applied when the system starts, not with a logon-logoff.

Regards,

Jamie
0
 

Author Comment

by:gbisker
ID: 13665006
We have applied the same settings to the domain controller policy and have updated all servers and workstations.  Even users who do not inherit policies are affected by the "30 day" setting and are unable to change their passwords.  Where else can we look?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 13665546
Run the RSOP against the DCs and check where the setting comes from.
Again: "Even users who do not inherit policies are affected by the "30 day" setting and are unable to change their passwords" This has nothing at all to do with user policies. Nothing. The password policy is a machine policy, and it needs to be applied (only) to the DCs, because that's where the accounts are.
0
 

Author Comment

by:gbisker
ID: 13672392
I will detail my situation again since the responses do not pertain to the situation.

We have a Server 2003 enviornament with XP Pro clients.  We have a group policy (only applied to XP workstation OU) that has the following settings:

Enforce password history:  3 passwords remembered
Max password age:  90 days
Min password age:  0 days  (used to be 30 days briefly)
Min password length:  8 characters
Password must meet complexity requirements:  Enabled

We ran gpupdate /force on the workstations and it still will not let us change the passwords until 30 days are up
We ran RSOP on these machines and it shows no 30 day requirement.

Our domain controllers have no applied policy whatsoever and a RSOP shows all settings as undefined.  Where is the 30-day setting coming from?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 13673483
Well, then let me detail the respone again:
You can apply account policies to XP workstations and run gpupdate on them until you're blue in the face, and the policies still won't apply to any domain user.
Account policies are (as can easily be seen: you define them in the Computer Configuration tree) a "Per Machine" setting. The settings defined there apply to the accounts that reside on the machines.
Now, where are domain accounts stored? Exactly. Not on the workstations, but on the domain controllers.
For a quick check, open the *local* security policy on a DC (Programs\Management\Local Security Policy, or start secpol.msc from the run menu). Check the password policy there; the account policy settings there are probably disabled.
To find out where the setting is coming from, use either the GPMC (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and run the group policy results wizard, or (if you don't want to use the GPMC for GP management) simply open a command window (on the DC) and enter
gpresult /scope computer /v >gpresult.txt
which will create a file "gpresult.txt" in the current folder. Look there from where the account policies are applied.
Again: it doesn't matter at all what you do on the workstations. Account policies affect *DCs* only, as far domain accounts are concerned.
That is, unless you're using *local* accounts on the workstations. In that case, an account policy that's applied to a machine will affect the *local* user accounts on this machine.
0
 

Author Comment

by:gbisker
ID: 13727670
Once again, this information is not pertainent to the question I asked.  We've already done all of that and as I stated, we ran an RSOP that detailed no policies defined.  No matter, the problem is solved!


I answered it myself by running "net accounts" from the command line.  This showed a minimum password age of 30 days which is now reset to zero.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question