Solved

Password history and length: Group Policy

Posted on 2010-08-24
4
746 Views
Last Modified: 2012-05-10
I have set the following policy...
Computer configuration > Windows Settings > Security Settings > Account Policies/Password Policy
Enforce password history = 8
Maximum password age = 45
Minimum password age = 30
Minimum password length = 8

However, I have just tried to change a password on a user account to what was the old password, it allowed me to do so. I also tried changing the user's password to less than 8 characters, this also succeeded.

I've ran rsop under the users account and the group policy settings appear to be in place.

We are running a 2003 forest. The client machine I attempted this on was a Windows 7 machine, the user account has domain administrator access (it's actually my own personal account)

Why have these restrictions not taken affect?
0
Comment
Question by:cbsbutler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 8

Accepted Solution

by:
SGrossmann earned 250 total points
ID: 33509092
did you set this policy to the domain?If not those settings are ignored.By default password settings are set within the default domain policy
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 250 total points
ID: 33509096
Probably because the policy you're testing this with is not linked to the domain root, or there's another GPO linked to the domain root with a higher priority in which password policy settings are defined, or because inheritance to the OU DOmain Controllers is disabled.
In a W2k3 AD domain, you can only have *one* password policy, it *has* to be linked to the *domain* *root*, and it *has* to be applied to the DCs.
Fine-grained password policies are only possible in a W2k8 AD, or with 3rd-party tools like from http://www.anixis.com/ or http://www.specopssoft.com/
Password policies applied to an OU will only influence *local* accounts on the computers in this OU.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509133
enable additionally password complexity in the same node. Then check if you modified those settings in Default Domain Policy. Windows 2003 doesn't allow having more that 1 password policy for domain. Each additional policy will be rejected. The only one taking effect is set at domain level (Default Domain Policy)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509141
Of course my second part of answer is described by oBdA (sorry I didn't see it before) and he's right.

@cbsbutler: Ignore my post please
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question