Link to home
Start Free TrialLog in
Avatar of okacs
okacs

asked on

Active Directory Password Complexity Issues

We have a small LAN with only 1 AD server on Windows 2003.  We will soon need to roll out a security change to the office to require "complex" passwords.  As a test,  we enabled Complex passwords in AD for just the OU that the IT department logins objects are in.  Our passwords were always complex, but this requirement was never turned on in AD.


When I try to change my password (through Windows XP Ctrl-Alt-Del) it tells me that the password it is not complex enough.

I can reset the password using Active directory Users and Computers (which bypasses requirements - ie: I can change the password to "pass").  The problem is when trying to change the password through Windows XP Ctrl-Alt-Del.

It says that the requirements are:
(1) 7 char long
(2) Must contain at least 3 of the following: Upper, Lower, Number Symbol.  
(3) Must not contain any 2 consecutive char from you user name.

I've double checked the password and it is 13 char long, contains both Capital and lowercase letters, has 2 numbers and 1 special char.  And I made sure that no 2 consecutive characters from my user name are used in the password.

Example:
                 john.doe
                 MYpassword$123         (there is no "JO" or "OH" or "HN" or "N". or ".D" or "DO" or "OE" in the password)

Any ideas what could be wrong?  Does the user-name for these purposes also include the "@domain.com" or "domain\" ?  Even so, the passwords that I'm trying are still not using those char combos...

Could there be something wrong with the AD server?
SOLUTION
Avatar of Justin Owens
Justin Owens
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
'I can reset the password using Active directory Users and Computers (which bypasses requirements - ie: I can change the password to "pass").  The problem is when trying to change the password through Windows XP Ctrl-Alt-Del.'

This doesn't look right either.  Password Policy is enforced regardless of where the change is made.  Check the machine you are testing with is a member of the domain and is not using a local policy to manage passwords.
SOLUTION
Avatar of Jakob Digranes
Jakob Digranes
Flag of Norway image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of okacs
okacs

ASKER

@ jakob_di

No, AD isn't set to remember previous passwords yet.  That is the next step.

@ DrUltima

We've arleady done a GPUpdate / Force several times, as well as reboots, etc. As far as it taking effect at next password change... that is what is failing.  It is already applied and therefore wont let us change the password (nothing appears to be complex enough for it!!)


@ DCMBS

Domain level eh?  That would kill our hopes of "testing" this first....  But if it is at Domain level, then why did it let us do it at the OU level?  It is already effective for the IT group, but apparently not for others?    

Here's what we did:  From console of the AD server > ADU&C > Domain.com > CorporateHQ > IT  rt click properties / Group Policy / Open  (Group policy Management Console opens) IT > IT policies > rt click edit > (opens the GPO editor) Computer Config > Windows Settings > Security Settings > Account Policies > Password Policy.

In here we changed the settings to:
      Enforce password History      not def
      Max password age                 90
      Min password age                  0
      Min Password legnth              7
      Password must be complex     Enabled

Avatar of okacs

ASKER

Screen Shot
GPO-Shot.jpg
This could be your problem.  The GP editor does allow you to edit the password policy on an OU but Password policy should be set in the default Domain Policy.  Password policies set elsewhere are not applied as expected.  Try setting your policy in the default domain policy.

http://support.microsoft.com/kb/269236
Avatar of okacs

ASKER

I removed the password settings from the IT policy and put into Domain policy.  It still does not work.  It will not accept complex passwords as Complex enough.
Avatar of okacs

ASKER

PS - The MS Link that you sent me does not follow that I see on my screen.  The instructions say:

To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:

   1. Start the Active Directory Users and Computers snap-in.
   2. Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
   3. On the domain controllers, run the following command:
      secedit /refreshpolicy machine_policy /enforce

But when I Start the Active Directory Users and Computers snap-in and right-click the Domain Controllers organizational unit, and click Properties, there is no checkbox labled "Block Policy Inheritance" on any of the tabs.

ScreenShot025.jpg
Avatar of okacs

ASKER

Furthermore, the syntax "secedit /refreshpolicy machine_policy /enforce" is not valid.

ScreenShot026.jpg
Avatar of okacs

ASKER

Ok, I can change it at the DC.  It is correctly requiring only complex passwords per the policy, but the example password is complex enough.  But On my PC it will not take it.  Weird.

When I do a Gpresult, it shows the domain policy is applied??
Try using RSOP to see exactly which policies are applied on your PC and where they come from.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of okacs

ASKER


I can ping the AD server by both IP address and by name (domain.com).  When i run GpUpdate /force it says it is refreshed, and when I run gpresult, it shows as being applied.  But when I run Rsop.msc I get red Xs on everything.
Avatar of okacs

ASKER

rsop screenshot
ScreenShot027.jpg
Avatar of okacs

ASKER

gpresult screenshot
ScreenShot029.jpg
How is your DNS configured.  Does your server have DNS role installed and only point to itself for DNS, and are workstations configured to point to the DC for dns and only the DC.
Avatar of okacs

ASKER

DNS is on the DC.  Workstations are configured for primary DNS at that server, and then secondary DNS at an external DNS server (OpenDNS).

Don't do that.  AD will misbehave.

Your only DNS should be internal.  Your DC should point to itself only (unless you have a secondary DNS server, and you can make that secondary).  In DNS, you point all non-domain requests to your external server.

Justin
Remove the external DNS server reference.  Workstations should only ever be configured to use internal DNS servers as Externalk DNS servers do not have the Domain Data that is needed by a worksation to properly participate on a domain.  Same goes for servers.  If yiu do not have a secondary internal DNS server then do not configure any secondary DNS references.
Avatar of okacs

ASKER

Actually, I just took the PC off the domain & re-added it back.  That solved the problem.  Now my RSOP.MSC shows everything is OK.


SIDE NOTE - If you are going to take your PC off the domain, BE SURE THAT YOU EITHER RESET OR KNOW THE LOCAL ADMIN ACCOUNT PASSWORD FIRST.  (That was a pain!)

Thanks everyone!
Avatar of okacs

ASKER

Thanks!
Magic, well done
I have the exact issue;

Password complexity is set on the default domain policy and when i run GpUpdate /force it says it is refreshed, and when I run gpresult on the client machines, it shows as being applied but i scan still change the password to anything i desire, regardless of it being through AD or ctrl+alt+del on the machine.

I have also tried going down the route of taking machines off the domain and adding them back on again - I have over 200 machines, but in any case it didnt work...

Any help?

Thanks.
apcoexch,
You need to open your own Question so that the Experts can address your needs.
Justin
Apologies, please remove my comment.

Thanks.