• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 722
  • Last Modified:

Not able to turn off the password complexity settings in GPO?

In this SBS 2003 lab I am trying to allow users to make shorter passwords than the 7 char, upper / lower case, etc. taht SBS 2003 defaults to.

First, I'm not asking for a debate of pros / cons of short / long passwords, just the steps to change those defaults...

I am going into group policy under server management, editing the Small Business Server Domain Password Policy (and looking at the other policies... and doing gpupdate / force from the server.  Making new users or users trying to change passwords from the change password screen on their machines shows the complexity settings still in place.

running the modeling wizard on 1 user shows:

Account Policies/Password Policyhide
Policy Setting Winning GPO
Maximum password age 0 days Small Business Server Domain Password Policy
Minimum password age 0 days Small Business Server Domain Password Policy
Minimum password length 3 characters Small Business Server Domain Password Policy
Store passwords using reversible encryption Disabled Small Business Server Domain Password Policy

am I doing something wrong (OK, I know I am... WHAT am I doing wrong! : )
0
Techsupportwhiz
Asked:
Techsupportwhiz
2 Solutions
 
TechsupportwhizAuthor Commented:
OK!  My bad.  I found this

http://www.experts-exchange.com/Operating_Systems/SBS_Small_Business_Server/Q_21677207.html?query=default+password+policies&topics=1031

remininding me to use the wizards!

OK, so I didn't.  now the policies say 3 character length, but users are required to use the default 7 char, upper / lower, etc...

going into the WIZARD for password policy, it says 3 char and complexity is turned off.  CHanging things has no effect - reopen the WIZARD still shows 3 char and user complexity is still on...

other than blowing away the whole OS or compare this install to another, is there something i can do to recover?!

You do have to manually edit the GPOs for some things, right?  Wizards aren't the answer to everything?  

And is there a URL that spells out all the things the wizard does?  that would help me catch the things I didn't change manually?  thanks!
0
 
DaMaestroCommented:
The last policy (innermost in AD) to be applied is always the winning policy. If you have SP1 installed, try using the GPMC (Group Policy Management Console). You can then run RSOP on the client machine to verify that there are not other policies being applied as well.

Also, clients get the new policy faster when you reboot, but it may take 30-60 minutes on average.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I just saw a talk on "length of passwords" which explained that this is the ONE key to making passwords secure.  The difference between cracking a 5 letter password and a 15 letter password is something like 6 hours versus 1500 years!

You wouldn't have to manually edit the GPO in this case.  Wizards should be used wherever they exist... and they do in this case.

I'm wondering though... perhaps you didn't use a wizard for something else and that's now showing itself here?

Are your users in the default OU?  (MyBusiness\Users\SBSUsers)?

How about running this command on a workstation?  C:\>gpresult /z >gpresult.txt

This will create a gpresult.txt file which you can post here.

Jeff
TechSoEasy
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now