Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Password history and length: Group Policy

Posted on 2010-08-24
4
Medium Priority
?
749 Views
Last Modified: 2012-05-10
I have set the following policy...
Computer configuration > Windows Settings > Security Settings > Account Policies/Password Policy
Enforce password history = 8
Maximum password age = 45
Minimum password age = 30
Minimum password length = 8

However, I have just tried to change a password on a user account to what was the old password, it allowed me to do so. I also tried changing the user's password to less than 8 characters, this also succeeded.

I've ran rsop under the users account and the group policy settings appear to be in place.

We are running a 2003 forest. The client machine I attempted this on was a Windows 7 machine, the user account has domain administrator access (it's actually my own personal account)

Why have these restrictions not taken affect?
0
Comment
Question by:cbsbutler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
SGrossmann earned 1000 total points
ID: 33509092
did you set this policy to the domain?If not those settings are ignored.By default password settings are set within the default domain policy
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 1000 total points
ID: 33509096
Probably because the policy you're testing this with is not linked to the domain root, or there's another GPO linked to the domain root with a higher priority in which password policy settings are defined, or because inheritance to the OU DOmain Controllers is disabled.
In a W2k3 AD domain, you can only have *one* password policy, it *has* to be linked to the *domain* *root*, and it *has* to be applied to the DCs.
Fine-grained password policies are only possible in a W2k8 AD, or with 3rd-party tools like from http://www.anixis.com/ or http://www.specopssoft.com/
Password policies applied to an OU will only influence *local* accounts on the computers in this OU.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509133
enable additionally password complexity in the same node. Then check if you modified those settings in Default Domain Policy. Windows 2003 doesn't allow having more that 1 password policy for domain. Each additional policy will be rejected. The only one taking effect is set at domain level (Default Domain Policy)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509141
Of course my second part of answer is described by oBdA (sorry I didn't see it before) and he's right.

@cbsbutler: Ignore my post please
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question