breichard
asked on
Group Policy for Password Policy not applying correctly
I'm trying to implement a password policy for my domain. I have put the following settings (among others) into the Default Domain Policy:
-min password length: 10
-password history: 5
When I run GPRESULT /V on a domain computer, I get the results in the attached gpresult.txt file. It sure looks like it's taken my settings. However, when I try to change my password on that same machine (purposely try to change it to something too short), I get the a message like the attached file password-change.jpg (says password must be 4 characters and not be the same as the last 3).
What's going on here?
Thanks!
Bob
gpresult.txt
password-change.JPG
-min password length: 10
-password history: 5
When I run GPRESULT /V on a domain computer, I get the results in the attached gpresult.txt file. It sure looks like it's taken my settings. However, when I try to change my password on that same machine (purposely try to change it to something too short), I get the a message like the attached file password-change.jpg (says password must be 4 characters and not be the same as the last 3).
What's going on here?
Thanks!
Bob
gpresult.txt
password-change.JPG
AncientFrib
Password policies need to be changed on the Domain Controller. Check that your domain controller is receiving the GPO settings.
Are you using a third-party password tool such as PasswordEnforcer? That pop-up message doesn't look like the standard one you usually get when you enter a non-confirming password.
@Ancient - Password policies do not need to be changed at the domain controller. Where he applied them at the domain level is fine.
http://technet.microsoft.com/en-us/library/cc737831.aspx
"Account policies include password policy, account lockout policy, and Kerberos policy. Although they affect user accounts, account policies are defined on computers. In Windows Server 2003 and Windows 2000, there is only one set of account policies for each domain, and these policies are defined at the domain level."
On your gpresult the password length shows up as 8, is that what you meant it to be? Other than that it does look like you have the settings right.
Are those settings in the screenshot what your settings used to be?
On another note I'm in the same area as you...very close to where your OU is. Go VA :)
Thanks
Mike
http://technet.microsoft.com/en-us/library/cc737831.aspx
"Account policies include password policy, account lockout policy, and Kerberos policy. Although they affect user accounts, account policies are defined on computers. In Windows Server 2003 and Windows 2000, there is only one set of account policies for each domain, and these policies are defined at the domain level."
On your gpresult the password length shows up as 8, is that what you meant it to be? Other than that it does look like you have the settings right.
Are those settings in the screenshot what your settings used to be?
On another note I'm in the same area as you...very close to where your OU is. Go VA :)
Thanks
Mike
ASKER
AncientFrib: Everything I've read says it has to be done at the root of the domain and NOT in an OU (as in the Default Domain Controllers Policy. To test this, I put password length to a setting of 2 in the Default Domain Controllers Policy. But, I'm still getting the pop up (attached before) where it shows it must be 4 characters.
LauraEHunterMVP: no 3rd-party tools. Do you have an example of what it should look like?
thanks!
Bob
LauraEHunterMVP: no 3rd-party tools. Do you have an example of what it should look like?
thanks!
Bob
Might just be an OS-specific thing, then, I'm used to seeing a more generic message than that. You'd know if you had third-party tools in place, I'm sure.
Next guess would be a replication issue if you have multiple domain controllers in-place - run dcdiag.exe /v on your domain controllers to confirm that changes made on 1 DC are reaching the others successfully.
Next guess would be a replication issue if you have multiple domain controllers in-place - run dcdiag.exe /v on your domain controllers to confirm that changes made on 1 DC are reaching the others successfully.
ASKER
mkline71: 8 is what we WANT it to be. So, as you see, the computer is reading it correctly...the question is why isn't it applying it?
As for the old settings, I don't know what they were. They were set to undefined. And, by the way, I made the change over a week ago. There are no replication errors in the logs, so I ass-u-me that replication is working correctly. (Again, the PC is getting the right settings in the gpresult command...)
As for the old settings, I don't know what they were. They were set to undefined. And, by the way, I made the change over a week ago. There are no replication errors in the logs, so I ass-u-me that replication is working correctly. (Again, the PC is getting the right settings in the gpresult command...)
ASKER
LauraEHunterMVP: running dcdiag /v now...
Are you running
gpupdate /force
before you're testing your policy?
gpupdate /force
before you're testing your policy?
ASKER
LauraEHunterMVP: some weird things going on here. On one of my DC's, I found that inbound and outbound replication was turned off. Odd. I turned them both back on (using repadmin). After waiting about 15 minutes, things seem to have calmed back down. Attached is the output of dcdiag /v on this server. I think it looks okay, but I'm no expert.
sublifer: yes, I've run gpupdate /force. As I said, though, the changes were made a week or more ago.
laurel-dcdiag.txt
sublifer: yes, I've run gpupdate /force. As I said, though, the changes were made a week or more ago.
laurel-dcdiag.txt
so the first time you ran dcdiag is when you saw that inbound and outbound replication was off. Wow, do you know who may have done that?
Force replication (either through sites and services or using repadmin /syncall)...although by now replication has probably happened on its own
Run that same password test and see if you get the same message.
Force replication (either through sites and services or using repadmin /syncall)...although by now replication has probably happened on its own
Run that same password test and see if you get the same message.
ASKER
Yeah, that's what I was thinking. We had a problem with the Downadup.B virus all across this network, but I hadn't heard of it doing that...
Re-testing now...
Re-testing now...
Not sure if it was that virus or not but there was another post on here today where someone ran dcdiag and found that inbound and outbound replication was turned off without explanation just like what you found.
ASKER
Odd. No love, though. It's really odd that gpresult /v shows that it should be applied, but then doesn't apply it...?
Can you post repadmin /showreps from that DC that was having issues.
Thanks
Mike
Thanks
Mike
ASKER
mkline71: Looks clean to me. The attached is from the DC which had inbound/outbound replication turned off.
Laurel-repadmin-showreps.txt
Laurel-repadmin-showreps.txt
Just curious, does this problem affect all machine you logged on from as well as using other account??
ASKER
Correct. It's the same from any PC in any OU and with any ID.
ASKER
Any other ideas?
Only other thing I can think of is to go through ever policy. I'm just trying to figure out where it is pulling that info from in your original screen shot (4 character minimum, 3 for password history, etc...)
That DC is replicating fine /showreps looked good.
That DC is replicating fine /showreps looked good.
ASKER
Yes, I guess that's the $1M question, huh? The really odd thing is that the GPRESULT /V shows that it's reading the correct info from the Default Domain Policy. I don't know what else to do...any ideas at all?
Thanks again for your help.
Bob
Thanks again for your help.
Bob
ASKER
Anyone have any ideas?
You could enable verbose logging and see if you can find any clues there. More on that here:
http://technet.microsoft.c
http://www.frickelsoft.net
This is a tough one, did you look through all your other policies and see if those original settings were ever set on another GPO.
http://technet.microsoft.c
http://www.frickelsoft.net
This is a tough one, did you look through all your other policies and see if those original settings were ever set on another GPO.
ASKER
I did look through the rest of the GPO's, and none have these settings. I haven't had a chance to look at your last links yet, but I will do that as soon as I can.
thanks,
Bob
thanks,
Bob
ASKER
It turns out that there was a block inheritance set on the domain controllers' OU. That was blocking the default domain policy from hitting the domain controllers...which, of course, is where domain passwords are set.
Thanks for all the help.
Thanks for all the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good catch, nicely done!!
Ouch! Hadn't encountered that one before, excellent catch!