We help IT Professionals succeed at work.

Group Policy Password Not "working"

saminco
saminco asked
on
2,742 Views
Last Modified: 2012-06-21
Attempting to setup Group Policy Password:

I created a new OU, moved my computer and user account into it.  
Configured the Password Policy with :  
     5 password history
    Max age "30"
    Min age "20"
    Min length "7"
    Passwd complex "not defined"
    Store password reverse "enabled"
Block Polcy Inharitance
Checked No Override
Ran gpupdate /force <prompted to reboot> "Yes"
Rebooted

Upon signing on, it did not prompt for a new Password
Ran gpresult: Applied to new OU properly

Checked Application Event:

Source: SceCli
Event ID: 1202

"Security policies were propagated with warning 0x4b8:  An extended error has occured.


Now bare in mind that I dd the same steps yesterday and when I rebooted, it DID prompt for a new password.  BUT it did not like ANY new passwords I tried to use.  Kept getting "minium password length is 0" message.  Left it blank, and it let me logon.  Rebooted, left password blank, let me log on.  Moved computer and user account back to original OU's <users / computers>.  Reset Password via AD to old password...then did the above steps <trying to "start" over...


Any thoughts?

Comment
Watch Question

Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Understood.  Well, I dont want to apply password policy to Servers/Administrator account...how can this be completed?  Any means to "test" this policy before I apply it to all?
Chris StauntonSr. Infrastructure Engineer

Commented:
it won't require you to change password but will require it to be complex, here's a hint... :)  Disable the password policy long enough to change the password that you want to change, then re-enable the password policy.  

If your user is setup in Active Directory users/computers to never expire their password then the user will NOT be prompted to change password every 30 days or whatever you set in the password GPO.

Cheers,

Chris

Commented:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

So, as Rich255 says you need ensure policy inheritance blocking is turned on the Domain Controllers OU.  You may be able to block policy inheritance on another OU and move the server administrator account to another OU and apply a different password policy here, but this may not work.

I'm not sure why you would want to do this though.  Are you using the built-in administrator account for your general admin?  If so, this is a big no no.

Commented:
I haven't tested, but I think this may work:  Make a test OU, turn on block policy inheritance for that OU, put a test computer in that OU and specify a password policy on that computer's local policy.  Officially, the password policy must be on the domain GPO, but since the local policy is processed before the domain policy is, any password settings there should hold if the domain policy is blocked.  Problem is, that would only work for local accounts.  Domain accounts are on the DC... so whatever password policy it has is what will be applied to the domain user accounts.

Author

Commented:
So I could just add "do not allow user to change password" to all user pofiles, except my account, set password policy on Default Group Policy, reboot my machien and see if it works properly?  If it does, remove "do not allow user to change password" from all users <except Server accounts; as I change those more often>.  And the policy will go into effect when they logon on tomorrow..sound about right?

Commented:
if you have enabled reverse encryption on user accounts then I would require most users to change password at next logon to ensure that

1) they choose passwords with at least the minimum numbers of characters
2) passwords are stored using reversible encryption for CHAP, etc...

I had the same problem as you and only discovered when I saw a user logging in with a blank password.  I nearly crapped myself.

Author

Commented:
Well, I changed all users except mine to "not allow password change".  Rebooted my machine.  Worked perfectly.

But I am still getting the following:


Application Event:

Source: SceCli
Event ID: 1202

"Security policies were propagated with warning 0x4b8:  An extended error has occured.

Commented:
This may help you find the source of the error:
http://support.microsoft.com/kb/260715/EN-US/

Author

Commented:
I checked in the Default Domain Policy <which I am pulling my GP from> and the "Rename Administrator Account" is not assigned.  

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.