Active Directory Password Group Policy not working

Posted on 2009-04-16
Last Modified: 2012-05-06

I have just setup a group policy in a OU for a few users.  It is a password policy.  I changed the settings in Computer Config, windows settings, security settings, account policies, Password Policy.  I enforced a password history of 1 day.  The max password age is set to 60 days.  The min password age 0 days.  Min password length is 6 characters.  The password must meet complexity requirements.  I did not store the password using reversible encryption.

I got my users to log off and back in and try to reset their passwords to 4 characters...and it worked.  What am I doing wrong?


Question by:ITatES
    LVL 21

    Expert Comment

    Password policy must be at domain level in 2003 and only one password policy per domain.

    LVL 1

    Expert Comment

    Try a gpudate /force from command line?
    LVL 82

    Accepted Solution

    In a W2k3 AD, there can only be *one* password policy *per* *domain*, and it has to be linked to the *domain* *root*.
    Password policies applied to an OU will only restrict *local* accounts on the machines in the OU, not domain accounts.
    You either need to upgrade to a W2k8 AD, which supports fine-grained password policies, or use a third-party-tool, for example from or
    LVL 38

    Expert Comment

    One other small thing to note:

    If you check the "password never expires" in active directory users accounts, that overrides the domain policy. So, If you set that on the domain admin account, then the password doesn't have to conform to complexity rules of the default domain password policy.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now