Password complexity in SBS 2003 not coming from Group Policy.

  Hello all, I'm having a problem in a Windows Server/Domain environment where I am unable to assign password due to not meeting complexity requirements.  Under any other circumstances this would not be a problem however, the issue is not with needing complex passwords, the issue is I cannot find this option enabled in ANY GPO.

   I have searched ALL GPO's within scope as well as without scope, I've run multiple RSoP's on multiple users where the resultant reveals no inherited GPO's/or if inherited, no password complexity requirements.  I've taken all GPO's out of scope, I've rebooted the servers, I've waited days to be sure that AD latency is compensated for and still have not found out where this password complexity is being generated/inherited from.  I'm aware that SMB servers are not the pedigree of Windows servers and would I have my way they would all be Linux/Unix/Novell, but that is not the case.  Please, if anyone knows what I'm missing, or where this setting can be coming from let me know.  It's not coming from Group Policy, I have established that.

   Any help with this would be greatly appreciated, I'm not concerned so much with turning it off so much as figuring out where it's coming from since I don't want that source of setting to override all my GPO settings on the domain.
kingventAsked:
Who is Participating?
 
kingventConnect With a Mentor Author Commented:
Okay, never mind everyone, I've been able to fix/workaround the issue by actually disabling the unused User Settings half of the "Password Policy" GPO and several RSoPs later showed the policy in full force.

Strange how even before when I set the policy in place on the domain it would not propagate even after days but when I disabled half the GPO from loading it somehow propagated near-instantly.  I'm still unsure of what to make of group policy, sometimes it's wonderful, and other times chaotic and worthless...

Oh well, that's universally Microsoft I guess.

Thanks everyone for suggestions, but this one answer was more a result of trial, error, and luck.
0
 
DifladermausCommented:
I am not sure of this, but it is possible that it is a local policy setting. If group policy does not cover this settings could the local policy still take affect? I think it could but I am not sure.

Dif
0
 
kingventAuthor Commented:
The local policy settings have also been checked, I'm sorry I forgot to mention that as well, because local policy settings have a tendency to trump domain setting, another thank you to Microsoft for embedded "features."

This question is still open.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
stronglineCommented:
Password policy in domain can only be defined in Domain level policies. Settings in any  other level will be ignored. Forget about search where the option is, just set the desire values in one of you domain policies.
0
 
oBdACommented:
There can only be one and exactly one password policy *per* *domain* in a W2k3 AD (Server W2k8 will change this), and this policy *has* to be linked to the *domain* *root* (so you either need to change the default domain policy or create a new GPO and link it to the domain root, with a higher priority than the DDP).
Password complexity is enabled *by* *default* in a W2k3 AD; you have to explicitly disable it if you don't want it.
Password policies linked to OUs will only influence *local* accounts on computers in or below the OU to which the GPO is linked.
0
 
DifladermausCommented:
Guess I missunderstood the question. Are you having a problem on one machine or is your entire domain is responding the same way?

Dif
0
 
kingventAuthor Commented:
Thank you for reminding me oBdA, I had almost forgotten that it was enabled by default.  The fact that it can only be set at the domain level and only once per domain is a fact that came up as well when we *explicitly* disabled complexity requirements, as well as set minimum length to 0, and set minimum age to 0 and maximum to it's maximum.  Even set the amount of passwords remembered to 0 and allowing repeat passwords (remembered passwords=0).

We've done all this in an effort to disable *all* password requirements explicitly simply for the fact that there are multiple *generic* logins where there is a high turnover with *very* limited permissions and several non-generic logins (also limited in permissions) that are used to access our PMS software from the terminal server.  We want the first level of passwords to be minimal while keeping terminal server access limited to those with non-generic logins as well as complex passwords within our PMS software.

So far we cannot set the first level of password policies to "0."

Explicitly telling AD in a domain policy is still unsuccessful in propagating our desired effect.
0
 
oBdACommented:
Did you maybe block inheritance for the Domain Controllers OU? The Password Policy has to be applied to the DCs.
Did you run gpresult /v on the DCs to check if the password policy is actually applied?
Have you tried creating a new GPO "Password Policy", linking it to the domain root, giving it the highest priority of all GPOs linked to the domain root, and disabling the complexity in this policy?
0
 
kingventAuthor Commented:
I will try that oBdA.  Thanks for suggestion, I will post with results.
0
 
kingventAuthor Commented:
oBdA,

   I have tried your suggestion of creating GPO and linking to root with highest priority and disabling the complexity.  This however was still unsuccessful in turning off password complexity.  With no other GPOs to contend with, and "enforced" attribute, and no GPO set to not inherit I am at a loss as to why this GPO is not being applied properly.  I also ran the gpresult tool, the policy is being applied, the settings applied yet I am still unable to create a new user/edit existing user without a complex/length/etc password.  This is really starting to get on my nerves as AD has had about an hour to work out it's latency issues and propagate already, so I'm on my last leg.  Anymore miracle cures oBdA, you seem really knowledgeable in AD, please think of something else...we'll be in touch.

Cheers!
0
 
kingventAuthor Commented:
Correction to above, none of the "OU" are set to "Not inherit."
0
 
intekraCommented:
I have to ask since it's SBS and  I didn't see it mentioned anywhere above... Did you try running the wizard for passwords in Server Management?
0
 
Vee_ModCommented:
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0
All Courses

From novice to tech pro — start learning today.