Unable to change password due to complexity requirement restrictions.

We have a Server 2003 enviornament with XP Pro clients.  We have a group policy that has the following settings:

Enforce password history:  3 passwords remembered
Max password age:  90 days
Min password age:  0 days  (used to be 30 days briefly)
Min password length:  8 characters
Password must meet complexity requirements:  Enabled

We ran gpupdate /force on the workstations and it still will not let us change the passwords until 30 days are up
We ran RSOP on these machines and it shows no 30 day requirement.  What can we do?
gbiskerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
It won't help you anything to run gpupdate or RSOP on the *client* machines.
The password policy affects only DCs, as the accounts are domain accounts (that's the reason you can only have one password policy per domain, btw).
So run the gpupdate on the DCs, and check if the policy is applied on them.
0
jamie177Commented:
Is your RSOP currerent?  Make sure, at the top of the report, that "Date Collected on:" is the current date, not the date of an old query.  You can right click in the right pane of RSOP and run the query again.

Did the workstaion reboot?  Computer policy is applied when the system starts, not with a logon-logoff.

Regards,

Jamie
0
gbiskerAuthor Commented:
We have applied the same settings to the domain controller policy and have updated all servers and workstations.  Even users who do not inherit policies are affected by the "30 day" setting and are unable to change their passwords.  Where else can we look?
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

oBdACommented:
Run the RSOP against the DCs and check where the setting comes from.
Again: "Even users who do not inherit policies are affected by the "30 day" setting and are unable to change their passwords" This has nothing at all to do with user policies. Nothing. The password policy is a machine policy, and it needs to be applied (only) to the DCs, because that's where the accounts are.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gbiskerAuthor Commented:
I will detail my situation again since the responses do not pertain to the situation.

We have a Server 2003 enviornament with XP Pro clients.  We have a group policy (only applied to XP workstation OU) that has the following settings:

Enforce password history:  3 passwords remembered
Max password age:  90 days
Min password age:  0 days  (used to be 30 days briefly)
Min password length:  8 characters
Password must meet complexity requirements:  Enabled

We ran gpupdate /force on the workstations and it still will not let us change the passwords until 30 days are up
We ran RSOP on these machines and it shows no 30 day requirement.

Our domain controllers have no applied policy whatsoever and a RSOP shows all settings as undefined.  Where is the 30-day setting coming from?
0
oBdACommented:
Well, then let me detail the respone again:
You can apply account policies to XP workstations and run gpupdate on them until you're blue in the face, and the policies still won't apply to any domain user.
Account policies are (as can easily be seen: you define them in the Computer Configuration tree) a "Per Machine" setting. The settings defined there apply to the accounts that reside on the machines.
Now, where are domain accounts stored? Exactly. Not on the workstations, but on the domain controllers.
For a quick check, open the *local* security policy on a DC (Programs\Management\Local Security Policy, or start secpol.msc from the run menu). Check the password policy there; the account policy settings there are probably disabled.
To find out where the setting is coming from, use either the GPMC (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and run the group policy results wizard, or (if you don't want to use the GPMC for GP management) simply open a command window (on the DC) and enter
gpresult /scope computer /v >gpresult.txt
which will create a file "gpresult.txt" in the current folder. Look there from where the account policies are applied.
Again: it doesn't matter at all what you do on the workstations. Account policies affect *DCs* only, as far domain accounts are concerned.
That is, unless you're using *local* accounts on the workstations. In that case, an account policy that's applied to a machine will affect the *local* user accounts on this machine.
0
gbiskerAuthor Commented:
Once again, this information is not pertainent to the question I asked.  We've already done all of that and as I stated, we ran an RSOP that detailed no policies defined.  No matter, the problem is solved!


I answered it myself by running "net accounts" from the command line.  This showed a minimum password age of 30 days which is now reset to zero.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.