• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 759
  • Last Modified:

Active Directory Password Group Policy not working


I have just setup a group policy in a OU for a few users.  It is a password policy.  I changed the settings in Computer Config, windows settings, security settings, account policies, Password Policy.  I enforced a password history of 1 day.  The max password age is set to 60 days.  The min password age 0 days.  Min password length is 6 characters.  The password must meet complexity requirements.  I did not store the password using reversible encryption.

I got my users to log off and back in and try to reset their passwords to 4 characters...and it worked.  What am I doing wrong?


1 Solution
Password policy must be at domain level in 2003 and only one password policy per domain.

Try a gpudate /force from command line?
In a W2k3 AD, there can only be *one* password policy *per* *domain*, and it has to be linked to the *domain* *root*.
Password policies applied to an OU will only restrict *local* accounts on the machines in the OU, not domain accounts.
You either need to upgrade to a W2k8 AD, which supports fine-grained password policies, or use a third-party-tool, for example from http://www.anixis.com/ or http://www.specopssoft.com/
One other small thing to note:

If you check the "password never expires" in active directory users accounts, that overrides the domain policy. So, If you set that on the domain admin account, then the password doesn't have to conform to complexity rules of the default domain password policy.


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now