?
Solved

Group Policy for Password Policy not applying correctly

Posted on 2009-02-19
27
Medium Priority
?
393 Views
Last Modified: 2012-05-06
I'm trying to implement a password policy for my domain.  I have put the following settings (among others) into the Default Domain Policy:  
-min password length: 10
-password history: 5

When I run GPRESULT /V on a domain computer, I get the results in the attached gpresult.txt file.  It sure looks like it's taken my settings.  However, when I try to change my password on that same machine (purposely try to change it to something too short), I get the a message like the attached file password-change.jpg (says password must be 4 characters and not be the same as the last 3).  

What's going on here?

Thanks!
Bob

gpresult.txt
password-change.JPG
0
Comment
Question by:breichard
  • 14
  • 7
  • 3
  • +3
27 Comments
 
LVL 5

Expert Comment

by:AncientFrib
ID: 23686226
Password policies need to be changed on the Domain Controller.  Check that your domain controller is receiving the GPO settings.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 23686481
Are you using a third-party password tool such as PasswordEnforcer?  That pop-up message doesn't look like the standard one you usually get when you enter a non-confirming password.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23686556
@Ancient - Password policies do not need to be changed at the domain controller.  Where he applied them at the domain level is fine.

http://technet.microsoft.com/en-us/library/cc737831.aspx 

"Account policies include password policy, account lockout policy, and Kerberos policy. Although they affect user accounts, account policies are defined on computers. In Windows Server 2003 and Windows 2000, there is only one set of account policies for each domain, and these policies are defined at the domain level."
On your gpresult the password length shows up as 8, is that what you meant it to be? Other than that it does look like you have the settings right.
 Are those settings in the screenshot what your settings used to be?
On another note I'm in the same area as you...very close to where your OU is. Go VA :)
Thanks
Mike
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:breichard
ID: 23686568
AncientFrib: Everything I've read says it has to be done at the root of the domain and NOT in an OU (as in the Default Domain Controllers Policy.  To test this, I put password length to a setting of 2 in the Default Domain Controllers Policy.  But, I'm still getting the pop up (attached before) where it shows it must be 4 characters.  

LauraEHunterMVP: no 3rd-party tools.  Do you have an example of what it should look like?  

thanks!
Bob
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 23686590
Might just be an OS-specific thing, then, I'm used to seeing a more generic message than that. You'd know if you had third-party tools in place, I'm sure.

Next guess would be a replication issue if you have multiple domain controllers in-place - run dcdiag.exe /v on your domain controllers to confirm that changes made on 1 DC are reaching the others successfully.
0
 

Author Comment

by:breichard
ID: 23686603
mkline71: 8 is what we WANT it to be.  So, as you see, the computer is reading it correctly...the question is why isn't it applying it?

As for the old settings, I don't know what they were.  They were set to undefined.  And, by the way, I made the change over a week ago.  There are no replication errors in the logs, so I ass-u-me that replication is working correctly.  (Again, the PC is getting the right settings in the gpresult command...)
0
 

Author Comment

by:breichard
ID: 23686618
LauraEHunterMVP:  running dcdiag /v now...
0
 
LVL 10

Expert Comment

by:sublifer
ID: 23686751
Are you running

gpupdate /force

before you're testing your policy?
0
 

Author Comment

by:breichard
ID: 23687073
LauraEHunterMVP:  some weird things going on here.  On one of my DC's, I found that inbound and outbound replication was turned off.  Odd.  I turned them both back on (using repadmin).  After waiting about 15 minutes, things seem to have calmed back down.  Attached is the output of dcdiag /v on this server.  I think it looks okay, but I'm no expert.

sublifer: yes, I've run gpupdate /force.  As I said, though, the changes were made a week or more ago.
laurel-dcdiag.txt
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23687148
so the first time you ran dcdiag is when you saw that inbound and outbound replication was off.  Wow, do you know who may have done that?
Force replication (either through sites and services or using repadmin /syncall)...although by now replication has probably happened on its own
Run that same password test and see if you get the same message.
0
 

Author Comment

by:breichard
ID: 23687180
Yeah, that's what I was thinking.  We had a problem with the Downadup.B virus all across this network, but I hadn't heard of it doing that...

Re-testing now...
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23687227
Not sure if it was that virus or not but there was another post on here today where someone ran dcdiag and found that inbound and outbound replication was turned off without explanation just like what you found.
 
0
 

Author Comment

by:breichard
ID: 23687499
Odd.  No love, though.  It's really odd that gpresult /v shows that it should be applied, but then doesn't apply it...?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23687563
Can you post repadmin /showreps from that DC that was having issues.
Thanks
Mike
0
 

Author Comment

by:breichard
ID: 23687945
mkline71: Looks clean to me.  The attached is from the DC which had inbound/outbound replication turned off.
Laurel-repadmin-showreps.txt
0
 
LVL 18

Expert Comment

by:Americom
ID: 23688292
Just curious, does this problem affect all machine you logged on from as well as using other account??
0
 

Author Comment

by:breichard
ID: 23688580
Correct.  It's the same from any PC in any OU and with any ID.
0
 

Author Comment

by:breichard
ID: 23705918
Any other ideas?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23712504
Only other thing I can think of is to go through ever policy.  I'm just trying to figure out where it is pulling that info from in your original screen shot (4 character minimum, 3 for password history, etc...)
 That DC is replicating fine /showreps looked good.
0
 

Author Comment

by:breichard
ID: 23713139
Yes, I guess that's the $1M question, huh?  The really odd thing is that the GPRESULT /V shows that it's reading the correct info from the Default Domain Policy.  I don't know what else to do...any ideas at all?

Thanks again for your help.
Bob
0
 

Author Comment

by:breichard
ID: 23721913
Anyone have any ideas?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23723055
You could enable verbose logging and see if you can find any clues there.  More on that here:
http://technet.microsoft.com/en-us/library/cc739088.aspx
http://www.frickelsoft.net/blog/?p=34
 This is a tough one, did you look through all your other policies and see if those original settings were ever set on another GPO.
0
 

Author Comment

by:breichard
ID: 23750622
I did look through the rest of the GPO's, and none have these settings.  I haven't had a chance to look at your last links yet, but I will do that as soon as I can.

thanks,
Bob
0
 

Author Comment

by:breichard
ID: 23908638
It turns out that there was a block inheritance set on the domain controllers' OU.  That was blocking the default domain policy from hitting the domain controllers...which, of course, is where domain passwords are set.

Thanks for all the help.
0
 

Accepted Solution

by:
breichard earned 0 total points
ID: 23908655
It turns out that there was a block inheritance set on the domain controllers' OU.  That was blocking the default domain policy from hitting the domain controllers...which, of course, is where domain passwords are set.

Thanks for all the help.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23908656
Good catch, nicely done!!
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 23908695
Ouch! Hadn't encountered that one before, excellent catch!
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question