Server 2008 Granular Password Policy Issue

Posted on 2009-04-29
Last Modified: 2012-05-06
I'm trying to set up a PSO that uses a separate set of password policies for certain users with higher security requirements.  I've followed the guide for doing this found here:

My environment contains 2 Windows Server 2003 DCs that share the FSMO roles, and another Windows Server 2008 DC that has the Global Catalog.  One of the Server 2003 (the Domain Naming and Schema Master) DCs is also a Global Catalog server.

I have created a PSO with the settings I want and applied it to the Group I want it to effect.  I confirmed that the group has the msDS-PSOApplied setting set pointing to my PSO as well as confirmed that the msDS-PSOAppliesTo setting on the PSO itself contains my group.  I also added a specific user account to the msDS-PSOAppliesTo setting and it still does not work.

When I log in as a user who is supposed to be getting these settings, I am still allowed to change my password to something with only 4 chars (minimum is 8 on my PSO).

Does anybody have any idea why this might not be working?  Thank you.

Question by:usom
    LVL 57

    Accepted Solution

    You have to be at Windows 2008 Domain Functional Level for fine grained passwords to work
    For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.  

    Author Comment

    Ahhh!  I should have caught that.  I suppose there is no mixed mode that allows Server 2003 DCs?
    LVL 57

    Expert Comment

    by:Mike Kline
    Not for fine-grained passwords, but you are almost there.  
    Just a few more DCs to go and you will be at W2K8 DFL...way ahead of many places.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
    Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now