[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2089
  • Last Modified:

Active Directory Password Complexity Issues

We have a small LAN with only 1 AD server on Windows 2003.  We will soon need to roll out a security change to the office to require "complex" passwords.  As a test,  we enabled Complex passwords in AD for just the OU that the IT department logins objects are in.  Our passwords were always complex, but this requirement was never turned on in AD.


When I try to change my password (through Windows XP Ctrl-Alt-Del) it tells me that the password it is not complex enough.

I can reset the password using Active directory Users and Computers (which bypasses requirements - ie: I can change the password to "pass").  The problem is when trying to change the password through Windows XP Ctrl-Alt-Del.

It says that the requirements are:
(1) 7 char long
(2) Must contain at least 3 of the following: Upper, Lower, Number Symbol.  
(3) Must not contain any 2 consecutive char from you user name.

I've double checked the password and it is 13 char long, contains both Capital and lowercase letters, has 2 numbers and 1 special char.  And I made sure that no 2 consecutive characters from my user name are used in the password.

Example:
                 john.doe
                 MYpassword$123         (there is no "JO" or "OH" or "HN" or "N". or ".D" or "DO" or "OE" in the password)

Any ideas what could be wrong?  Does the user-name for these purposes also include the "@domain.com" or "domain\" ?  Even so, the passwords that I'm trying are still not using those char combos...

Could there be something wrong with the AD server?
0
okacs
Asked:
okacs
  • 12
  • 7
  • 4
  • +3
5 Solutions
 
Justin OwensITIL Problem ManagerCommented:
Overview of Password Complexity:

http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx

Complexity requirement will not be enforced until next password change.  You can script a forced chage, if needed:

http://computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm

In Windows Server 2003, select Domain Security Policy from Administrative Tools. In Windows Server 2008, select Local Security Policy from Administrative Tools.
In Windows Server 2003, expand Security Settings-Account Policies-Password Policy. In Windows Server 2008, expand Account Policies-Password Policy.

Verify your complexity requirement are what your OS is reporting.

On the client machine, do a GPUPDATE /force to make sure your policy has been applied to the workstation correctly.

Justin
0
 
DCMBSCommented:
I don't think you have this set up right.  Password policies can only be applied at the domain level, they cannot be restricted to an individual OU.  Are you sure you aren't applying a local policy on the Machines you are testing with.
0
 
Shift-3Commented:
I was about to post what DCMBS just said; in 2000 and 2003 Active Directory, password policies only take effect at the domain level.  If set at the site or OU level, they will only apply to local user accounts and not domain accounts.

See this article for clarification, and a way to overcome the limitation in Server 2008.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
DCMBSCommented:
'I can reset the password using Active directory Users and Computers (which bypasses requirements - ie: I can change the password to "pass").  The problem is when trying to change the password through Windows XP Ctrl-Alt-Del.'

This doesn't look right either.  Password Policy is enforced regardless of where the change is made.  Check the machine you are testing with is a member of the domain and is not using a local policy to manage passwords.
0
 
Jakob DigranesSenior ConsultantCommented:
is this a password used earlier?
maybe you've said to Win server that it should remember the last passwords, or that password cannot be changed before it's one day old.

Besides that - agree with all others, in 2003 - PW Policy is applied on domain wide level... (in 2008 you can have several policies)
0
 
okacsAuthor Commented:
@ jakob_di

No, AD isn't set to remember previous passwords yet.  That is the next step.

@ DrUltima

We've arleady done a GPUpdate / Force several times, as well as reboots, etc. As far as it taking effect at next password change... that is what is failing.  It is already applied and therefore wont let us change the password (nothing appears to be complex enough for it!!)


@ DCMBS

Domain level eh?  That would kill our hopes of "testing" this first....  But if it is at Domain level, then why did it let us do it at the OU level?  It is already effective for the IT group, but apparently not for others?    

Here's what we did:  From console of the AD server > ADU&C > Domain.com > CorporateHQ > IT  rt click properties / Group Policy / Open  (Group policy Management Console opens) IT > IT policies > rt click edit > (opens the GPO editor) Computer Config > Windows Settings > Security Settings > Account Policies > Password Policy.

In here we changed the settings to:
      Enforce password History      not def
      Max password age                 90
      Min password age                  0
      Min Password legnth              7
      Password must be complex     Enabled

0
 
okacsAuthor Commented:
Screen Shot
GPO-Shot.jpg
0
 
DCMBSCommented:
This could be your problem.  The GP editor does allow you to edit the password policy on an OU but Password policy should be set in the default Domain Policy.  Password policies set elsewhere are not applied as expected.  Try setting your policy in the default domain policy.

http://support.microsoft.com/kb/269236
0
 
okacsAuthor Commented:
I removed the password settings from the IT policy and put into Domain policy.  It still does not work.  It will not accept complex passwords as Complex enough.
0
 
okacsAuthor Commented:
PS - The MS Link that you sent me does not follow that I see on my screen.  The instructions say:

To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:

   1. Start the Active Directory Users and Computers snap-in.
   2. Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
   3. On the domain controllers, run the following command:
      secedit /refreshpolicy machine_policy /enforce

But when I Start the Active Directory Users and Computers snap-in and right-click the Domain Controllers organizational unit, and click Properties, there is no checkbox labled "Block Policy Inheritance" on any of the tabs.

ScreenShot025.jpg
0
 
okacsAuthor Commented:
Furthermore, the syntax "secedit /refreshpolicy machine_policy /enforce" is not valid.

ScreenShot026.jpg
0
 
okacsAuthor Commented:
Ok, I can change it at the DC.  It is correctly requiring only complex passwords per the policy, but the example password is complex enough.  But On my PC it will not take it.  Weird.

When I do a Gpresult, it shows the domain policy is applied??
0
 
DCMBSCommented:
Try using RSOP to see exactly which policies are applied on your PC and where they come from.
0
 
Justin OwensITIL Problem ManagerCommented:
For clarification, RSoP is Resultant Set of Policies:

http://technet.microsoft.com/en-us/library/cc758010%28WS.10%29.aspx

Justin
0
 
okacsAuthor Commented:

I can ping the AD server by both IP address and by name (domain.com).  When i run GpUpdate /force it says it is refreshed, and when I run gpresult, it shows as being applied.  But when I run Rsop.msc I get red Xs on everything.
0
 
okacsAuthor Commented:
rsop screenshot
ScreenShot027.jpg
0
 
okacsAuthor Commented:
gpresult screenshot
ScreenShot029.jpg
0
 
DCMBSCommented:
How is your DNS configured.  Does your server have DNS role installed and only point to itself for DNS, and are workstations configured to point to the DC for dns and only the DC.
0
 
okacsAuthor Commented:
DNS is on the DC.  Workstations are configured for primary DNS at that server, and then secondary DNS at an external DNS server (OpenDNS).

0
 
Justin OwensITIL Problem ManagerCommented:
Don't do that.  AD will misbehave.

Your only DNS should be internal.  Your DC should point to itself only (unless you have a secondary DNS server, and you can make that secondary).  In DNS, you point all non-domain requests to your external server.

Justin
0
 
DCMBSCommented:
Remove the external DNS server reference.  Workstations should only ever be configured to use internal DNS servers as Externalk DNS servers do not have the Domain Data that is needed by a worksation to properly participate on a domain.  Same goes for servers.  If yiu do not have a secondary internal DNS server then do not configure any secondary DNS references.
0
 
okacsAuthor Commented:
Actually, I just took the PC off the domain & re-added it back.  That solved the problem.  Now my RSOP.MSC shows everything is OK.


SIDE NOTE - If you are going to take your PC off the domain, BE SURE THAT YOU EITHER RESET OR KNOW THE LOCAL ADMIN ACCOUNT PASSWORD FIRST.  (That was a pain!)

Thanks everyone!
0
 
okacsAuthor Commented:
Thanks!
0
 
DCMBSCommented:
Magic, well done
0
 
apcoexchCommented:
I have the exact issue;

Password complexity is set on the default domain policy and when i run GpUpdate /force it says it is refreshed, and when I run gpresult on the client machines, it shows as being applied but i scan still change the password to anything i desire, regardless of it being through AD or ctrl+alt+del on the machine.

I have also tried going down the route of taking machines off the domain and adding them back on again - I have over 200 machines, but in any case it didnt work...

Any help?

Thanks.
0
 
Justin OwensITIL Problem ManagerCommented:
apcoexch,
You need to open your own Question so that the Experts can address your needs.
Justin
0
 
apcoexchCommented:
Apologies, please remove my comment.

Thanks.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 12
  • 7
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now