Solved

Group Policy Setting for Minimum Password Age = 0 not working

Posted on 2008-10-07
13
4,735 Views
Last Modified: 2013-12-04
I have a brand new Windows Server 2008 SP1 64-bit server installed with AD, Exchange 2007 SP1, etc.

I have a group policy configured and applied to my domain that includes a password policy.  Specifically, the password policy setting of Minimum Password Age is set to 0 (so that users can change their password immediately).  The default used to be set to 1.  However, something is not working.  If I reset a user's password for maintenance then ask them to change it - they are unable to.  If they wait a day, then it works.  It should be noted that I'm using the default domain policy (yes it is enforced) and I have it applied to all other users.  I know the policy works because I see other evidence that it was applied.

I know that Server 2008 provides for password enforcement through AD but I have not configured any of that.  I've loaded ADSI edit and explored the settings and cannot find anything configured under System/Password Settings Container.

By the way, I have tried gpupdate /force, reboots, logoff's, etc... nothing works.

I have no idea where else to look?  Any ideas?  Is there a way I can review the applied password policy on the user's system to verify that it was set correctly?  Is something else overriding it?
0
Comment
Question by:bjb2303
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 4

Expert Comment

by:Chris James
ID: 22661591
Shouldn't you be adjusting the password changing within the user properties within Active Directory if its on a user by user basis?

That would be easier?
0
 
LVL 16

Expert Comment

by:kshays
ID: 22662058
Have you read this article yet?
http://technet.microsoft.com/en-us/magazine/cc137749.aspx

It appears you do not implement password policies the way you would in earlier versions of Windows.

Kevin
0
 

Author Comment

by:bjb2303
ID: 22662717
I found this information in the ADSI Edit help screen when trying to follow the instructions that kshays provided.  

In the Windows Server® 2008 operating system you can use ADSI Edit to administer fine-grained password and account lockout policies. For more information, see the Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (http://go.microsoft.com/fwlink/?LinkID=91477). Note   For managing password policy settings at the organizational unit (OU) level, you can use Group Policy tools instead of ADSI Edit.

Looks to me like Group Policy is still supported but you can use ADSI Edit to fine-tune.  I don't... I'm happy with a domain-wide policy.

So back to my original question - if AD does not have anything configured, then why isn't my group policy working for minimum age?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:bjb2303
ID: 22662791
What's odd is my uses get this message which states that the password must be 7 characters and at least a day old.  I've refined the policy to be 6 characters and 0 days old.  I'm guessing that either this is a generic message or something is overriding my group policy object?

http://i.technet.microsoft.com/cc770842.e2eda066-d362-4b51-8517-2ca39c9a48a4(en-us).gif
0
 
LVL 16

Expert Comment

by:kshays
ID: 22663018
Are you using GPMC to edit the GPO?  If so there is a gpo result that you can run to get applied policies on that user or workstation.  I would go ahead and do gpupdate /force on the DC a few times and the workstations a few times just to make sure.  Some policies require 2 reboots in order to take effect.  I'm not sure if this is one or not.  Are there any other DC's that need to be replicated by chance?

At this point you need to see what settings in the GPO are getting applied to the users.

kshays
0
 

Author Comment

by:bjb2303
ID: 22663267
I checked the GP Results (thanks - that's pretty cool) but it looks like everything was successfully applied and there are no errors.

Okay - so I'm pretty well convinced that Group Policy is being ignored when it comes to the password policy.  I disabled the complexity requirements, updated the policy on the workstation and tried to change my password - no luck - I'm still required to create a "complex" password.

Also, under the "Password must meet complexity requirements" explanation, there is an interesting note at the bottom: "Note: By default, member computers follow the configuration of their domain controllers."

Huh?
0
 

Author Comment

by:bjb2303
ID: 22663283
By the way, my DC does not have a policy enforced for it.  In fact, there are NO other group policies in my domain.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22663360
First of all, let's forget about the comments above surrounding Fine-Grained Password Policies, since that's not what you're deploying here. (FGPPs are a completely different animal and are managed in a completely different manner.)

So you have the Default Domain Policy GPO, and have configured the Computer Configuration-->Policies-->Local Settings-->Password Policies section to have complexity turned off, a minimum password length of 6 characters and a minimum password age of 0 days.  Can you verify this within the GPMC console?  (Browse to the DDP and click "Show All" in the right-hand pane on the Settings tab.

Once you have verified this, go to a client computer that is experiencing the issue and run 'rsop.msc' from the Run line.  This will tell you what settings are being applied, and which GPO is "winning" if you have multiple GPOs configured. Specifically, I'm thinking that you might have conflicting password settings configured between the Default Domain Policy and the Default Domain Controllers Policy.
0
 

Author Comment

by:bjb2303
ID: 22663567
Yes, I can verify the settings are as you specified.

I checked rsop.exe (very cool - didn't know about that one) and I can see that the correct group policy is in effect.  It shows that it was successfully updated and I can verify the settings are correct.

In GP for the "Password must meet complexity requirements" explanation, there is an interesting note at the bottom: "Note: By default, member computers follow the configuration of their domain controllers."

I think these complexity requirements might be a requirement on my server which are overriding my group policy?  I have not configured anything in AD (i.e. FGPP's) but is there something new for Server 2008 that overrides group policy?  I'm thinking that the hierarchy might be...

1.) FGPP's
2.) ??? - Server's?
3.) Group Policy

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22663668
Fine-Grained Password Policies will override password settings configured in GP, but if you haven't configured one yourself there aren't any that exist manually.

Open ADSI Edit, connect to the default naming context. Right-click on the domain (dc=domain,dc=com) in the right-hand pane and select Properties. Confirm that minPwdAge and minPwdLength are set to the expected values, and that pwdProperties is set to 0.
0
 

Author Comment

by:bjb2303
ID: 22663830
That's it!  That was my problem.  I didn't configure these - so these MUST be default policies now?  Maybe because I have Server 2008 SP1?

I tried clearing these values and clicking apply, but it failed.  I ended up having to change these values so that they match my Group Policy settings.  But I'm okay with that - because at least the mystery is solved.

Thanks a million!
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22663846
Configuring the Default Domain Policy should provide an administrative UI to modify those values - modifying them directly in ADSI Edit shouldn't be necessary.

See if you can modify them in GP and then see if the corresponding values in ADSI Edit change, otherwise it might point to another issue. (Just in the interest of thoroughness.)

Glad it's working, though.
0
 

Author Comment

by:bjb2303
ID: 22663908
I had previously modified them in Group Policy, however, my default domain policy does not apply to my domain controller - so maybe that was my problem?

(I don't want it to apply to my domain controller because I have Windows Update and firewall settings configured differently for the workstations.)

Is that what you mean/
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
slow IIS responses after Microsoft December 2016 patches 3 39
Password Complexity 13 29
GPO not showing IE10 in GP Preferences 14 41
Bind Mac To Azure AD 1 28
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question