cannot restore old settings of "password must meet complexity requirements"

HI Experts,

I ENABLE the "password must meet complexity requirements" on one of our AD servers, after 8 hours I decide change it back to DISABLED, its been 2 weeks the settings of theses server did not take effect... I already try GPUPDATE /FORCE on all AD servers still no use... all my user is complainning, may i know how to restore the settings?

Help is really appreciated

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi.  The place where this GPO takes effect is at the domain level.
Check your default domain policy, and change the settings there:
Computer Configuration \ Windows Settings \ Security Settings \ Account Policies/Password Policy

Go to Active Directory Sites and Services.
Under Default-First-Site-Name --> Servers
Click on the + sign next to each server.  Click on NTDS Setings.
In the right-hand pane, right-click the object, and choose Replicate Now.
Do that for all servers.

Then, go to a workstation, open a cmd prompt, and use the gpupdate /force again.


Check the password.
andybogardAuthor Commented:
HI gpriceee

Still no effect.... could you please advise us other alternative?

Thanks Experts!!!
andybogardAuthor Commented:
HI gpriceee

is the reboot of the servers required? does the GPUPDATE / FORECE will do the work? or Reboot is needed?

Thanks Experts!!!
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

No reboot is needed.
If you do a gpresult on the workstations, when was the latest policy applied?
Are you testing from more than one workstation?
Do you have another GP in the workstation OU?
andybogardAuthor Commented:
HI gpriceee

we have GP in the workstation OU, the blocked inheritance is disabled ... so we expect the effect to replicate, but sadly it didnt.
Its been 2 weeks .... I already try GPUPDATE /FORCE on all Servers since last week.

Thanks Experts!!!
Is the default policy Enforced?

Use the following tool to return how the policy is being applied.

If you don't have the Group Policy Management mmc, get it:

1.  In the Group Policy Management Console, click the + next to the Forest.
2.  Right-click Group Policy Results --> Group Policy Results Wizard...
3.  Next
4.  Select Another Computer --> Browse, and check the name of a connected workstation.
5.  Next
6.  At the bottom of the window, select Do not display user policy settings in the results
7.  Next
8.  Next
9.  Finish

Your settings should show there.  Adjust them, replicate, gpupdate/ force.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Group Policy is Replicated to Domain Controllers.
Running gpupdate /force on a server only works for updating Group Policies that have been assigned to the servers.  Hopefully, you have Servers in their own OU, separate from the Workstation OU.

Once you change the Group Policy, if you want a quick result, force replication among Domain Controllers.  Then, run gpupdate /force on a workstation/s.

What really should help you the most here is the combination of using the Group Policy Results Wizard and the gpresult command.  That way, you'll know that the workstation expects to receive what the Domain Controller attempts to apply.

Just a thought . . . .
Somewhere along the way, have you adjusted the security settings on the policies?

On the Domain Controllers, is the File Replication service running?
andybogardAuthor Commented:

Yes, File Replication service running
Our default GP refresh is every 2 hours, we already check one user's policy the password complexity is disabled, but this user gets a complexity requirements when he changes his password.

Thanks Experts!!!
andybogardAuthor Commented:
HI Expert!!!

anyone has idea on our problem?

Thanks Experts!!!
why dont u leave the policy as NOT DEFINED(dont check anything) and see if that would solve ur problem...
I'm waiting for your response as to what the results of the comparison of the Group Policy Results Wizard and the gpresult command at a workstation.

In the meantime, you could adjust the security settings of the Group Policy causing the issue, and deny read to everyone.
andybogardAuthor Commented:

Its been a weeks ... still no ... positive result ...servers replicate all policy

Thanks Experts!!!
andybogardAuthor Commented:
HI Experts!!!

Thanks !!!!!

more power
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.