Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

Unable to change password due to complexity requirement restrictions.

We have a Server 2003 enviornament with XP Pro clients.  We have a group policy that has the following settings:

Enforce password history:  3 passwords remembered
Max password age:  90 days
Min password age:  0 days  (used to be 30 days briefly)
Min password length:  8 characters
Password must meet complexity requirements:  Enabled

We ran gpupdate /force on the workstations and it still will not let us change the passwords until 30 days are up
We ran RSOP on these machines and it shows no 30 day requirement.  What can we do?
0
gbisker
Asked:
gbisker
  • 3
  • 3
1 Solution
 
oBdACommented:
It won't help you anything to run gpupdate or RSOP on the *client* machines.
The password policy affects only DCs, as the accounts are domain accounts (that's the reason you can only have one password policy per domain, btw).
So run the gpupdate on the DCs, and check if the policy is applied on them.
0
 
jamie177Commented:
Is your RSOP currerent?  Make sure, at the top of the report, that "Date Collected on:" is the current date, not the date of an old query.  You can right click in the right pane of RSOP and run the query again.

Did the workstaion reboot?  Computer policy is applied when the system starts, not with a logon-logoff.

Regards,

Jamie
0
 
gbiskerAuthor Commented:
We have applied the same settings to the domain controller policy and have updated all servers and workstations.  Even users who do not inherit policies are affected by the "30 day" setting and are unable to change their passwords.  Where else can we look?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
oBdACommented:
Run the RSOP against the DCs and check where the setting comes from.
Again: "Even users who do not inherit policies are affected by the "30 day" setting and are unable to change their passwords" This has nothing at all to do with user policies. Nothing. The password policy is a machine policy, and it needs to be applied (only) to the DCs, because that's where the accounts are.
0
 
gbiskerAuthor Commented:
I will detail my situation again since the responses do not pertain to the situation.

We have a Server 2003 enviornament with XP Pro clients.  We have a group policy (only applied to XP workstation OU) that has the following settings:

Enforce password history:  3 passwords remembered
Max password age:  90 days
Min password age:  0 days  (used to be 30 days briefly)
Min password length:  8 characters
Password must meet complexity requirements:  Enabled

We ran gpupdate /force on the workstations and it still will not let us change the passwords until 30 days are up
We ran RSOP on these machines and it shows no 30 day requirement.

Our domain controllers have no applied policy whatsoever and a RSOP shows all settings as undefined.  Where is the 30-day setting coming from?
0
 
oBdACommented:
Well, then let me detail the respone again:
You can apply account policies to XP workstations and run gpupdate on them until you're blue in the face, and the policies still won't apply to any domain user.
Account policies are (as can easily be seen: you define them in the Computer Configuration tree) a "Per Machine" setting. The settings defined there apply to the accounts that reside on the machines.
Now, where are domain accounts stored? Exactly. Not on the workstations, but on the domain controllers.
For a quick check, open the *local* security policy on a DC (Programs\Management\Local Security Policy, or start secpol.msc from the run menu). Check the password policy there; the account policy settings there are probably disabled.
To find out where the setting is coming from, use either the GPMC (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and run the group policy results wizard, or (if you don't want to use the GPMC for GP management) simply open a command window (on the DC) and enter
gpresult /scope computer /v >gpresult.txt
which will create a file "gpresult.txt" in the current folder. Look there from where the account policies are applied.
Again: it doesn't matter at all what you do on the workstations. Account policies affect *DCs* only, as far domain accounts are concerned.
That is, unless you're using *local* accounts on the workstations. In that case, an account policy that's applied to a machine will affect the *local* user accounts on this machine.
0
 
gbiskerAuthor Commented:
Once again, this information is not pertainent to the question I asked.  We've already done all of that and as I stated, we ran an RSOP that detailed no policies defined.  No matter, the problem is solved!


I answered it myself by running "net accounts" from the command line.  This showed a minimum password age of 30 days which is now reset to zero.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now