okacs
asked on
Active Directory Password Complexity Issues
We have a small LAN with only 1 AD server on Windows 2003. We will soon need to roll out a security change to the office to require "complex" passwords. As a test, we enabled Complex passwords in AD for just the OU that the IT department logins objects are in. Our passwords were always complex, but this requirement was never turned on in AD.
When I try to change my password (through Windows XP Ctrl-Alt-Del) it tells me that the password it is not complex enough.
I can reset the password using Active directory Users and Computers (which bypasses requirements - ie: I can change the password to "pass"). The problem is when trying to change the password through Windows XP Ctrl-Alt-Del.
It says that the requirements are:
(1) 7 char long
(2) Must contain at least 3 of the following: Upper, Lower, Number Symbol.
(3) Must not contain any 2 consecutive char from you user name.
I've double checked the password and it is 13 char long, contains both Capital and lowercase letters, has 2 numbers and 1 special char. And I made sure that no 2 consecutive characters from my user name are used in the password.
Example:
john.doe
MYpassword$123 (there is no "JO" or "OH" or "HN" or "N". or ".D" or "DO" or "OE" in the password)
Any ideas what could be wrong? Does the user-name for these purposes also include the "@domain.com" or "domain\" ? Even so, the passwords that I'm trying are still not using those char combos...
Could there be something wrong with the AD server?
When I try to change my password (through Windows XP Ctrl-Alt-Del) it tells me that the password it is not complex enough.
I can reset the password using Active directory Users and Computers (which bypasses requirements - ie: I can change the password to "pass"). The problem is when trying to change the password through Windows XP Ctrl-Alt-Del.
It says that the requirements are:
(1) 7 char long
(2) Must contain at least 3 of the following: Upper, Lower, Number Symbol.
(3) Must not contain any 2 consecutive char from you user name.
I've double checked the password and it is 13 char long, contains both Capital and lowercase letters, has 2 numbers and 1 special char. And I made sure that no 2 consecutive characters from my user name are used in the password.
Example:
john.doe
MYpassword$123 (there is no "JO" or "OH" or "HN" or "N". or ".D" or "DO" or "OE" in the password)
Any ideas what could be wrong? Does the user-name for these purposes also include the "@domain.com" or "domain\" ? Even so, the passwords that I'm trying are still not using those char combos...
Could there be something wrong with the AD server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ jakob_di
No, AD isn't set to remember previous passwords yet. That is the next step.
@ DrUltima
We've arleady done a GPUpdate / Force several times, as well as reboots, etc. As far as it taking effect at next password change... that is what is failing. It is already applied and therefore wont let us change the password (nothing appears to be complex enough for it!!)
@ DCMBS
Domain level eh? That would kill our hopes of "testing" this first.... But if it is at Domain level, then why did it let us do it at the OU level? It is already effective for the IT group, but apparently not for others?
Here's what we did: From console of the AD server > ADU&C > Domain.com > CorporateHQ > IT rt click properties / Group Policy / Open (Group policy Management Console opens) IT > IT policies > rt click edit > (opens the GPO editor) Computer Config > Windows Settings > Security Settings > Account Policies > Password Policy.
In here we changed the settings to:
Enforce password History not def
Max password age 90
Min password age 0
Min Password legnth 7
Password must be complex Enabled
No, AD isn't set to remember previous passwords yet. That is the next step.
@ DrUltima
We've arleady done a GPUpdate / Force several times, as well as reboots, etc. As far as it taking effect at next password change... that is what is failing. It is already applied and therefore wont let us change the password (nothing appears to be complex enough for it!!)
@ DCMBS
Domain level eh? That would kill our hopes of "testing" this first.... But if it is at Domain level, then why did it let us do it at the OU level? It is already effective for the IT group, but apparently not for others?
Here's what we did: From console of the AD server > ADU&C > Domain.com > CorporateHQ > IT rt click properties / Group Policy / Open (Group policy Management Console opens) IT > IT policies > rt click edit > (opens the GPO editor) Computer Config > Windows Settings > Security Settings > Account Policies > Password Policy.
In here we changed the settings to:
Enforce password History not def
Max password age 90
Min password age 0
Min Password legnth 7
Password must be complex Enabled
ASKER
Screen Shot
GPO-Shot.jpg
GPO-Shot.jpg
This could be your problem. The GP editor does allow you to edit the password policy on an OU but Password policy should be set in the default Domain Policy. Password policies set elsewhere are not applied as expected. Try setting your policy in the default domain policy.
http://support.microsoft.com/kb/269236
http://support.microsoft.com/kb/269236
ASKER
I removed the password settings from the IT policy and put into Domain policy. It still does not work. It will not accept complex passwords as Complex enough.
ASKER
PS - The MS Link that you sent me does not follow that I see on my screen. The instructions say:
To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:
1. Start the Active Directory Users and Computers snap-in.
2. Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
3. On the domain controllers, run the following command:
secedit /refreshpolicy machine_policy /enforce
But when I Start the Active Directory Users and Computers snap-in and right-click the Domain Controllers organizational unit, and click Properties, there is no checkbox labled "Block Policy Inheritance" on any of the tabs.
ScreenShot025.jpg
To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:
1. Start the Active Directory Users and Computers snap-in.
2. Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
3. On the domain controllers, run the following command:
secedit /refreshpolicy machine_policy /enforce
But when I Start the Active Directory Users and Computers snap-in and right-click the Domain Controllers organizational unit, and click Properties, there is no checkbox labled "Block Policy Inheritance" on any of the tabs.
ScreenShot025.jpg
ASKER
Furthermore, the syntax "secedit /refreshpolicy machine_policy /enforce" is not valid.
ScreenShot026.jpg
ScreenShot026.jpg
ASKER
Ok, I can change it at the DC. It is correctly requiring only complex passwords per the policy, but the example password is complex enough. But On my PC it will not take it. Weird.
When I do a Gpresult, it shows the domain policy is applied??
When I do a Gpresult, it shows the domain policy is applied??
Try using RSOP to see exactly which policies are applied on your PC and where they come from.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can ping the AD server by both IP address and by name (domain.com). When i run GpUpdate /force it says it is refreshed, and when I run gpresult, it shows as being applied. But when I run Rsop.msc I get red Xs on everything.
ASKER
rsop screenshot
ScreenShot027.jpg
ScreenShot027.jpg
ASKER
gpresult screenshot
ScreenShot029.jpg
ScreenShot029.jpg
How is your DNS configured. Does your server have DNS role installed and only point to itself for DNS, and are workstations configured to point to the DC for dns and only the DC.
ASKER
DNS is on the DC. Workstations are configured for primary DNS at that server, and then secondary DNS at an external DNS server (OpenDNS).
Don't do that. AD will misbehave.
Your only DNS should be internal. Your DC should point to itself only (unless you have a secondary DNS server, and you can make that secondary). In DNS, you point all non-domain requests to your external server.
Justin
Your only DNS should be internal. Your DC should point to itself only (unless you have a secondary DNS server, and you can make that secondary). In DNS, you point all non-domain requests to your external server.
Justin
Remove the external DNS server reference. Workstations should only ever be configured to use internal DNS servers as Externalk DNS servers do not have the Domain Data that is needed by a worksation to properly participate on a domain. Same goes for servers. If yiu do not have a secondary internal DNS server then do not configure any secondary DNS references.
ASKER
Actually, I just took the PC off the domain & re-added it back. That solved the problem. Now my RSOP.MSC shows everything is OK.
SIDE NOTE - If you are going to take your PC off the domain, BE SURE THAT YOU EITHER RESET OR KNOW THE LOCAL ADMIN ACCOUNT PASSWORD FIRST. (That was a pain!)
Thanks everyone!
SIDE NOTE - If you are going to take your PC off the domain, BE SURE THAT YOU EITHER RESET OR KNOW THE LOCAL ADMIN ACCOUNT PASSWORD FIRST. (That was a pain!)
Thanks everyone!
ASKER
Thanks!
Magic, well done
I have the exact issue;
Password complexity is set on the default domain policy and when i run GpUpdate /force it says it is refreshed, and when I run gpresult on the client machines, it shows as being applied but i scan still change the password to anything i desire, regardless of it being through AD or ctrl+alt+del on the machine.
I have also tried going down the route of taking machines off the domain and adding them back on again - I have over 200 machines, but in any case it didnt work...
Any help?
Thanks.
Password complexity is set on the default domain policy and when i run GpUpdate /force it says it is refreshed, and when I run gpresult on the client machines, it shows as being applied but i scan still change the password to anything i desire, regardless of it being through AD or ctrl+alt+del on the machine.
I have also tried going down the route of taking machines off the domain and adding them back on again - I have over 200 machines, but in any case it didnt work...
Any help?
Thanks.
apcoexch,
You need to open your own Question so that the Experts can address your needs.
Justin
You need to open your own Question so that the Experts can address your needs.
Justin
Apologies, please remove my comment.
Thanks.
Thanks.
This doesn't look right either. Password Policy is enforced regardless of where the change is made. Check the machine you are testing with is a member of the domain and is not using a local policy to manage passwords.