• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 786
  • Last Modified:

Complexity requirements are being enforced, even though I disabled them.

Hello,
I created a GPO at the Domain Level that enforced Password Complexity Requirements.  Subsequently, when users were required to change their passwords, the GPO was applied.  The users kept getting an error message stating that password did not meet the complexity requirements, EVEN THOUGH THE PASSWORD DID MEET THE COMPLEXITY REQUIREMENTS.  I eventually removed the GPO because this was causing much frustration on both mine and the users.

But users are STILL being provided the same error message, with the GPO removed.

I checked the only existing GPOs, which are the Default Domain Policy and the Default Domain Controllers Policy, but the Complexity Requirements have been disabled on both policies.

To take it one step further, some users are being told that their password is not at least 8 characters long, even though it is!!!

There are no Local Policies that Block Inheritance, etc.

Please help.
0
cliffordgormley
Asked:
cliffordgormley
  • 7
  • 7
  • 3
1 Solution
 
LazarusCommented:
Have you forced the client machines to except the new policies?

Using the command line to refresh policies

Secedit.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer.  To use secedit, open a command prompt and type:

secedit /refreshpolicy user_policy  to refresh the user policies
secedit /refreshpolicy machine_policy  to refresh the machine (or computer) policies

These parameters will only refresh any user or computer policies that have changed since the last refresh.  To force a reload of all group policies regardless of the last change, use:

secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce

Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP computer.  It has replaced the secedit command.  To use gpupdate, open a command prompt and
type:

gpupdate /target:user  to refresh the user policies
gpupdate /target:machine  to refresh the machine (or computer) policies

As with secedit, these parameters will only refresh any user or computer policies that have changed since the last refresh.  To force a reload of all group policies regardless of the last change, use:

gpupdate /force

0
 
cliffordgormleyAuthor Commented:
Hello,
Thanks, but that does not answer my question.  The OS is acting like the policy is in place, which I removed.  On top of that, the OS is telling me that my users are not entering passwords that are at least 8 characters long, when they are!
Thanks.
0
 
LazarusCommented:
What I stated can be exactly the problem. When you apply a group policy it does not instantly get placed on every computer and and some can get stuck completly. Even if you remove it it can sometime not be passed along.
I'll assume that you set your password complexity in this section:

Computer Configuration                                    
      Software Settings                              
                                    Software installation
      Windows Settings                              
            Scripts (Startup/Shutdown)                        
            Security Settings                        
                  Account Policies                  
                        Password Policy            
                                    Enforce password history
                                    Maximum password age
                                    Minimum password age
                                    Minimum password length
                                     Passwords must meet complexity requirements
                                    Store password using reversible encyrption for all users in the domain

is that correct?
Be careful of overriding policies as well. Without know how many Policies you have I'm only guesing here.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
cliffordgormleyAuthor Commented:
Hello,
Yes, that is where I created the policy.  I applied the secedit /refreshpolicy machine_policy on my w2k machine and still was had the policy forced on me.  And even if I wanted it enforced, the error msg said that I was not meeting the complexity requiremens, even though I was.
The main problem is why is the os telling me that I am not meeting the Complexity Requirements, even though I was.  The fact that the policy is even effective on the users' computers is another issue, but I consider that secondary.

i have no other policies in effect.
0
 
LazarusCommented:
Could you paste what you now have in your settings on the above configuration?
0
 
Netman66Commented:
Be careful here....

Account policies come from the Default Domain Policy and cannot be disabled.  What I see as the issue is you have 2 conflicting policies at the Domain level - the Default policy will always apply and cannot be blocked.

Remove this element from the GPO you created by disabling it.  Set all Account Policies within the Default Domain Policy only to avoid issue such as this.

Please advise.
0
 
cliffordgormleyAuthor Commented:
Here are my settings on my Default Domain Policy.  I have no other policies in effect; no Site, Domain, or OU level policies.  No Block Inheritance, no No Override anywhere.  Just one simple Default Domain Policy (and the Default Domain Controllers policy, which was never touched)

I initially created a separate Domain Level GPO in which I applied Complex Passwords, then I removed it because the Windows Error Message on the users' computers was telling users that the password they were entering did not meet the COmplexity Requirements, EVEN THOUGH IT WAS.  After deleting that Domain level GPO, I am still gettting the Error Message as though the policy is being enforced, even though I only have the settings that are pasted below.

Windows Settings
Security Settings
Account Policies/Password Policy
Policy Setting
Enforce password history 10 passwords remembered
Maximum password age 150 days
Minimum password age 30 days
Minimum password length 8 characters
Password must meet complexity requirements Disabled
Store passwords using reversible encryption Disabled

Thanks
0
 
Netman66Commented:
Ok, you deleted the second policy - however, did you disable the complexity requirement before you deleted it?

If you can remember the settings you had on the deleted GPO you should try to recreate it, enable it, allow it to propagate, then disable it.  Give it time to reset then simply unlink it for a period of time to allow the clients to stop using it.

My instinct tells me you had a longer password length requirement on the old GPO that is still present in the registry on the client machines.  Until you set another one with equal or greater length and allow it to apply before disabling it, you will still get these error messages.

Let me know.
0
 
cliffordgormleyAuthor Commented:
Hello Netman66,
No, I did not disable the complexity requirement before I deleted it.  Should I have???

I cannot remember the settings I had on it.  Is there a way I can check the client machines for the current old-GPO-applies settings?

How long do you wait for it to apply?  90 minutes is what I think I've seen.

Is it normal to have to disable it before deleting it??  I guess so if I think about it.....just deleting it will not remove it from the client machines' Registries like you said; the client machine has to get the new settings during the next update.  

One more question, netman66...what is the diff. between /refreshpolicy and /enforce?

Thanks,l
Ciff
0
 
Netman66Commented:
You might find it here on the client:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

or here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Since I haven't set any of this, I can't be certain it's that easy.  You might be able to use Regmon from here: <http://www.sysinternals.com/ntw2k/source/regmon.shtml>  to monitor the registry for changes.  Change your Default Domain Policy to a password length of 1 more than you have and see what changes after a forced policy update.

To answer your other question, /refreshpolicy and /enforce are the same switch - /refreshpolicy is for SECEDIT on Windows 2000 and /enforce is for GPUPDATE on Windows XP/2003.

0
 
cliffordgormleyAuthor Commented:
Hello,
I created a NEW Domain Level policy, in addition to the Defautl Domain Policy.  The NEW Domain policy has precedence over the Default Domain Policy.  This NEW policy only enforces Minimum Password Length of 9 characters (1 more than was in the deleted policy).  I ran a gpupdate on a Domain XP computer, and applied the policy to that laptop.  I selected Change Password, and entered a password of 9 characters.  I got an Error Message stating that my password  must be at least 9 characters, WHICH IT WAS!!  So 1) my new policy is effective, but 2) the passwords are not being accepted EVEN THOUGH THEY MEET THE POLICY REQUIREMENTS!!  Could passwords be getting corrupted after entry?  Who checks the passwords?...I would think it would logically be the Domain Controllers.

This really looks like a bug to me.
0
 
Netman66Commented:
Interesting...Thanks for testing this issue the way you did.  Now it will be easier to try to pinpoint this.

Let's start with some basic information so I can get the whole picture.

1)  How many DCs do you have?
2)  What OSes are those DCs running?
3)  Are these DCs connected by hign-speed links or are some of them remote?
4)  Are all the FSMO roles accounted for and do the role-holders respond to ping requests (are they up and live)?

Let me know.
0
 
cliffordgormleyAuthor Commented:
Hello,
1. 2 DCs
2. 2003 Server
3. High-speed LAN
4. Yes, all FSMOs are on first DC.  All respond to ping requests.
Thanks!
0
 
Netman66Commented:
Set the "Minimum Password Age" to 0 (zero).  Reboot a PC and try again.

I'm still looking into this.

0
 
Netman66Commented:
Can you provide any Event Logs that contain errors relating to this?

Thanks.
0
 
cliffordgormleyAuthor Commented:
I will look.  thanks.  may take awhile cuz i am in the UK right now.
0
 
Netman66Commented:
Take your time.  We need to fix this correctly.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now