[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

AD - Override "Complexity Requirements"

Posted on 2007-10-04
6
Medium Priority
?
3,146 Views
Last Modified: 2008-05-31
I want to apply a GPO (AD 2003) to an OU that does NOT enforce the "Password must meet complexity requirements." I don't want to modify the Default Domain Policy. How do I proceed?
0
Comment
Question by:light-blue
  • 3
  • 2
6 Comments
 
LVL 23

Accepted Solution

by:
Jeremy Weisinger earned 1800 total points
ID: 20017236
You can't in 2003.

There can only be one Account Policy per domain in 2003 and earlier. In 2008 you will be able to specify multiple Account Policies.
0
 
LVL 1

Author Comment

by:light-blue
ID: 20017404
I made the changes to the default Default Domain Policy, but I am still receiving the same error ("Windows cannot set the password for User1 because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."). Do I need to issue a refresh command of some sort? I am executing the command on the PDC itself (only 1 in this test network).
0
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 200 total points
ID: 20017432
Same answer... more detail...

In Windows 2000 and Windows 2003 Active Directory environments, the Account Policy can only be set at the domain level, and can not be overridden, ignored, or applied only to specific OUs.

It's a domain policy, and if the OU is in the domain, it's getting that policy.

From: http://technet2.microsoft.com/windowsserver/en/library/04d8f32b-8ec7-4176-9d09-29f8c062d2391033.mspx?mfr=true

"For domain accounts, the account policy must be defined in the Default Domain Policy Group Policy object (GPO) or in a new GPO that is linked to the root of the domain and given precedence over the Default Domain Policy GPO, which is enforced by the domain controllers that make up the domain. If more than one GPO containing account policy settings is linked at the domain level, the domain's account policy consists of the cumulative policy settings from all the domain-linked GPOs.

A domain controller always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if a different account policy is applied to the organizational unit (OU) that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be differentiated from the domain account policy by defining an account policy for the OU that contains the member computers."
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 23

Assisted Solution

by:Jeremy Weisinger
Jeremy Weisinger earned 1800 total points
ID: 20017434
Wait 5 minutes or do a "gpupdate" from the command prompt.

If it's still giving you an error that means there is a policy requirement you're not meeting. Look through those that are listed (complexity, length, history) and make sure they're set to what you want.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 20017442
If you changed the policy, did you do a "gpupdate" after so that the machine would pull the new policy and make it effective?
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20017543
Glad to help. =)
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question