?
Solved

Password Policy for Windows 2003

Posted on 2006-04-28
18
Medium Priority
?
439 Views
Last Modified: 2010-04-18
I am running a windows 2003 domain and I implemented the following password policy:

Policy                                     Setting
Enforce password history      24 passwords remembered
Maximum password age      182 days
Minimum password age      2 days
Minimum password length      5 characters

I changed these settings in the default domain controller policy. I have verified that no other policies at any level Site, Domain, OU have any other policy settings. The problem is users are still being asked to change their passwords about every 40 days. Any ideas on what is causing this?
0
Comment
Question by:heco
  • 7
  • 6
  • 5
18 Comments
 
LVL 4

Accepted Solution

by:
rutten-d earned 600 total points
ID: 16565116
you should set this policy in the default domain policy instead of the domaincontroller policy.
0
 

Author Comment

by:heco
ID: 16565144
Thanks for the quick response. Any specific reason for setting it there instead of the domaincontroller policy?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16565835
The Default Domain Controller policy only governs logons on the DC.  For Domain-wide policies, use the Default Domain Policy.

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:heco
ID: 16565868
I agree. I know there can only be one password policy for the domain users so I edited the default domain controllers policy to add the password policy. So if I wanted to add a different password policy for a computers local accounts I could add another password policy on that OU. I'm just wondering why it is being suggested to put it into the default domain policy.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16565961
No, that's not true.

There can only be one Account Policy in the Domain.  It cannot be blocked or overridden.  Setting it on the Default Domain Controller Policy does not apply it to the domain, but rather the local logon to the servers (local accounts) - which, depending on the account, may be AD accounts too (like Administrator).

Adding different Account Policies to different OUs only succeeds in controlling local account logons - not domain account logons.

In order to make your policy apply to the domain it MUST be in the Default Domain Policy.

I hope this clears it up a bit.
0
 
LVL 4

Expert Comment

by:rutten-d
ID: 16568387
there can be more than one passwordpolicy per domain , if you use filtering by security groups.
Passwordpolicies can only be applied on the domain level.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16568555
rutten-d - there can only be one account policy per domain that affects domain accounts.  You cannot have more than one per domain.  It cannot be blocked or overridden.

http://support.microsoft.com/kb/255550/en-us



0
 
LVL 4

Expert Comment

by:rutten-d
ID: 16568675
hi netman66


this is a statement made by an MCT who I got my mcse2003 upgrade from.
since the article you refer to applies to win2000 , I'm testing it at this moment in  a virtual lab on 2003 - if it does'n't work I'm going to whip some MCT booty... :-)
0
 
LVL 4

Expert Comment

by:rutten-d
ID: 16569332
I did some tests:

setup AD-domain with default settings ,
removed password policy settings from the Default Domain Policy ,
created two new policies - one requiring passwordlength of 10 chars , one requiring 14 chars
made policy 1 apply to computer 1 and policy 2 to computer 2

As Netman66 stated , it doesn't appear to work - although gpresult shows that the settings are applied ...
Actually - in the setup described above I was completely unable to reset my own password as an ordinary user ,
so it appears that some mechanism only accepts password policy settings from the default domain policy .

There are more things I could have tested , like deleting the defdomainpolicy , but that wouldn't be realsitic in real life.

Credits to you , Netman66
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16572855
I was also an MCT for 4 years, and never heard of the technique you mentioned here.  In theory, you made an interesting point, but the reality is that Account Policies only come from the Default Domain Policy and nowhere else.

It made me think about it, and finding an article to back my statement wasn't the least bit easy.  I think it's in the Active Directory course material I used to deliver and therefore not searchable online.

At any rate, one Account Policy governs the Domain logons - any number of lower level policies can be used to govern local logons though.  However, in a domain environment, local logons aren't tremendously useful.

Regards,
NM
0
 
LVL 4

Expert Comment

by:rutten-d
ID: 16573907
well heco ,

i hope you got your answer...  :-)
0
 

Author Comment

by:heco
ID: 16577228
Thank you Netman66 and rutten-d.

Netman66 - My understanding of the way the password policy works is that the domain controller is holding the account database for the domain so you can apply a password policy on the domain controllers ou for the domain users accounts and the built in accounts. It is recommended to put the password policy in the default domain policy but you can create a policy and link it to the domain controller OU as long as you don't have another password policy set anywhere else. Please check out this article, it is where I am getting my information from:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx#EBAA

The two sections of intereset are Storing Password Policy Information and Implementing Password Policy Settings
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16580258
Please cut and paste the sentences you believe state that password policies can be set on the Default Domain Controller policy or that OU - I don't see them.

The article specifically states that there can only be one password policy per domain and it must be linked at the root container.  They mention a Default Domain Controller policy only in the context that it is created along with the Default Domain Policy by default when AD is installed.  I see nothing there that states your password policies can and should be set there.

If you think about Group Policy Objects they are linked at certain levels (domain, site or OU) and affect everything in the container they are linked to and their children (by inheritance).  If you link a password policy on the Domain Controlllers OU then it only affects the DC directly and thus only a local logon to those DCs (which don't exist).

I'm not trying to be argumentative, I'm simply attempting to explain this a little better.

That is a good article though - and it backs up my statement about one Account policy per domain much better than the article I linked to earlier.



0
 

Author Comment

by:heco
ID: 16580882
I greatly appreciate your help netman66. Under the paragraph Storing Password Policy Information there is a sentence that starts out saying "An Active Directory domain is considered a single account database." My understanding of all this is if you apply a password policy to a domain controller ou it will (it's working on my other domains) still work. The policy doesn't apply only to a local DCs accounts (which don't exist) but instead affecfs the AD user database.

Also under Storing Password Policy Information is this paragraph which talks about being able to apply it directly to an OU and not at the root:

It is a best practice to avoid modifying these built-in GPOs. If you need to apply password policy settings that diverge from the default settings, you should create a new GPO instead and link it to the root container for the domain, or to the Domain Controllers OU and assign it a higher priority than the built-in GPO. If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.

When I set this up I wanted the password policy to only affect domain users accounts and not the local accounts on the workstations. I removed the password policy setting from the default domain policy and set them in the default domain controller's policy. It is working fine on my other domains but not this one. The users aren't required to change their password  for 182 days but it is expiring around every 30.

I know your not being argumentative, you are very knowledgeable and helpful.
 
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 400 total points
ID: 16581012
This Security setting actually applies to Domain accounts - both the Computer Account and the User Account - so applying it at the domain level should have no effect for local logons at all.

Applying it to the DC OU doesn't affect either the domain-connected computers or the users that logon with a domain account since neither object exists inside or under the DC OU.  Why it's working on the other domains is anyone's guess.  I suspect it is still picking up settings from the Default Domain Policy or one linked at the domain level.

The second paragraph simply states that it isn't best practice to modify the Default GPOs - either the Default Domain Policy or Default Domain Controller Policy - but rather create new policies and link them appropriately with a higher priority.  In reality, I only use Default Domain Policy for Account Policies and Audit settings.  Anything else I require will go into a new GPO linked where it's needed.  I have never yet had to change a setting in Default Domain Controller Policy for anyone I've done business with.  You *rarely* need to touch that policy - and even then, under very specific circumstances (like SMB signing for downlevel clients).

You should run up GPMC.msc on those other domains and do a RSoP for a user and workstation under the domain - this will tell you exactly where the password policies are coming from.



0
 

Author Comment

by:heco
ID: 16639544
I went ahead and took out the policy for the default domain controller's policy and moved it to the default domain policy. I am keeping an eye out to see if the problem still occurs.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16640431
Ok.  I think you should see what you expect to see now.
0
 

Author Comment

by:heco
ID: 16735212
I appreciate both of your inputs. The problem seems to be fixed. Thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question