Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1445
  • Last Modified:

WIndows 2008 Fine Grain Password Policy not working

I followed the Microsoft TechNet article on how to create a Fine Grain Password polciy and assigned it to a global group. When I log in with one of the user who are a member of this group and and change the password. There account is not processing the new fine grain policy but the default domai policy??

Please help
0
compdigit44
Asked:
compdigit44
  • 20
  • 11
  • 4
  • +1
2 Solutions
 
Mike KlineCommented:
When you used the step by step guide

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

If you go to step 4 to view the resultant PSO does it show the password

is your domain functional level set to 2008

on another note specops makes a decent GUI tool you can also test in the lab
http://www.specopssoft.com/web/specops-password-policy-basic-documentation.aspx

Thanks
Mike
0
 
Justin OwensITIL Problem ManagerCommented:
It is probably linked to a GPO priority issue.

http://www.markwilson.co.uk/blog/2004/09/priority-order-for-application-of-gpos.htm
http://technet.microsoft.com/en-us/library/cc784268%28WS.10%29.aspx#w2k3tr_gp_how_rbme

Also, remember that anything which is enforced takes priority over anything linked or enabled.

Justin

0
 
compdigit44Author Commented:
I have tried all items suggested and my default domain policy password policy is still being applied to my test group instead of my fine-grain pwd policy. I have even set the password precedence order to 1 and no go
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
compdigit44Author Commented:
Would it be better for me to zero out all of my password settings in my default domain policy then create two seperate fine grain pwd?

0
 
Justin OwensITIL Problem ManagerCommented:
Your default domain policy is going to normally take precedence over anything else.  Honestly, it is a bad idea to modify it at all.  It is better to create new policies which can be more precisely applied.
0
 
compdigit44Author Commented:
how can I get me default domain and fine gain pwd work to work together so should I create two fine grain policies
0
 
Mike KlineCommented:
Sounds like you are doing everything right and if you look at the comments on this DS blog it is what you are doing

http://blogs.technet.com/b/askds/archive/2009/05/19/understanding-password-policies.aspx

I had it setup in a lab at work but that lab is down and I won't have time to test it again this week.

Look through Florian's good two part series...just to double check your work

http://www.frickelsoft.net/blog/?p=54
http://www.frickelsoft.net/blog/?p=57

Thanks

Mike
0
 
compdigit44Author Commented:
Thank for the links..

For my own knownledge with 2008 is it better to set the password policy via default domain group policiy or fine grain password policies
0
 
compdigit44Author Commented:
NO luck my my users who are should be processing the PSO are processing the default domain policy pwd policy..

I have check my PSO mulitple time and everything this is correct???
I have tried placing the global group which my member are a part if in an OU , Users contain etc.. no luck
0
 
Justin OwensITIL Problem ManagerCommented:
Can you run RSoP on one of your users who should be getting the policies but isn't and post that here?
0
 
compdigit44Author Commented:
When I run the RSop from the client test workstation it is showing all of the PWD seeting for the default domain policy..
Since the account pwd????

I even tried to log onto the server with the user account tried to reset the pwd make those of the PSO and no luck...

What is going on???
0
 
Justin OwensITIL Problem ManagerCommented:
OK... Go to your GPO manager and go to the tab which shows what policies are in place for your user's OU.  Remember, this is a user policy, so it doesn't matter what OU the computer is in.  Take a screen shot and post it (clean it if you need to).  Let us know what policy has your new PW policy and where it falls in that list.

Justin
0
 
compdigit44Author Commented:
There are no GP attached to my users's OU . The default domain policy is the only GP. I have even removed this default domain policy from the domain as a test and my test user is still processing the default domain policy some how...

I also noticed that when I do a gpresult /v it doesn't show my test user as a member of my test global group which is associate with my PSO this is very weird
0
 
Justin OwensITIL Problem ManagerCommented:
In your GPMC (Group Policy Management Console), highlight your user's OU  Look at the tab "Group Policy Inheritance".  You should see all GPOs there which would affect the OU.  That is the screen shot I would like to see.
0
 
compdigit44Author Commented:
NO GP are being inherited on the User OU which my users are located
0
 
Justin OwensITIL Problem ManagerCommented:
That is why your policy is not being applied.  Is your fine grain password policy properly linked and enforced?
0
 
compdigit44Author Commented:
I have check and my PSO is set to apply to my test group yet when I run RSOP is does show my PSO and processing ..

What else can I check this is driving me crazy..
0
 
Justin OwensITIL Problem ManagerCommented:
That is why I am asking for screen shots.  It would be easier to answer if we could "see" what you are seeing.
0
 
compdigit44Author Commented:
For security reasons I cannot take snapshots..
My domain function level is 2008 R2 also I tried to assign the PSO directy to a user acocunt and no go
0
 
Justin OwensITIL Problem ManagerCommented:
OK... Do this for me, then.  Create a new OU.  Link your password GPO to that OU.  Enforce it.  Create a test user.  Put that user in your new OU.  Log that user in.  Try to change the password and post the results.
0
 
compdigit44Author Commented:
The only GP I have is the default domain policy and my only password policy configured is my PSO???

0
 
Justin OwensITIL Problem ManagerCommented:
Sorry... I missed you were using PSO rather than GPO.  That would be why you don't see it. :)  Let's try this instead:

Create a new Security Group in AD and put a test user in it.  Link your fine grain PSO to that group and make sure it has a Precedence of 1.  Have your test user log in and try to change the password.  Post results.
0
 
compdigit44Author Commented:
SHould I create eh new group within an OU or users container
0
 
Justin OwensITIL Problem ManagerCommented:
It shouldn't matter.
0
 
compdigit44Author Commented:
I created a new user and assigned my PSO directly to the user.  I removed my default domain policy and yet my user is still processing the old default domainsettings??

What the heck!!!!!11
0
 
compdigit44Author Commented:
Question on best practices for PSO..

I have read the new mind set for 2008 PWD policy is the following

Create mulitple PSO for user accounts in your domain but make the default domain password policy the most restrive basically using it as a catch all incase a user account slips through ??? What does everyone think
0
 
Mike KlineCommented:
Where I am we have to have standards based on govt standards to strong passwords are enforced, 8 characters etc.
We would have that at the domain level and if we wanted more restrictive for service accounts for example then we would set a stronger PSO.
I can see arguments for either method
0
 
Justin OwensITIL Problem ManagerCommented:
I would not be the right person to ask about that for two reasons: 1) I don't believe in modifying the default domain policy at all and 2) I prefer to use gpo over pso.  Sorry.
0
 
compdigit44Author Commented:
with the default domain policy pwd settings are set at the Computer Config does this mean the password PWD is being applied to the computer account? If so, Should I remove the default authenticated users from the default domain policy and replace it with domain users?
0
 
Tony MassaCommented:
Get PSOMGR from Joeware.net:  http://www.joeware.net/freetools/tools/psomgr/

and post the PSO objects using:  psomgr /view /pso

More examples: http://www.joeware.net/freetools/tools/psomgr/usage.htm
0
 
compdigit44Author Commented:
i just found something VERY interestig....

I rebuild my PSo from scratch yet again and applied it to m y domain users group.
-I then ran a RSoP logged in as the users but ran the RSOP using "Run AD" under my test admin account
-The RSOP showed the PWD settings for my default domain policy :-(
-just for the heck okf it, I decied to TRY and chance my PWD from my XP test workstation and I alllowed me to set a PWD that was not complex and comformt the my PSo settings!!!

This is great but why is RSOP showing the default domain settings inset of the PSO? Is there any report nativel you can run to show which password settings are being applied to a user or group before they log in ..

Is there a RSOP for PSO??
0
 
compdigit44Author Commented:
I keep reading conflicting information on proper values for the password age, lock out duration etc..

using ADSIEDIT

So dosucments state you have to use I8 format both others say you need this for the LDAP editor only

Also, I see the PSo policy listed in the attribute for the users but not when I run the RSOP.msc for the user and computer??

Very confused
0
 
Mike KlineCommented:
adsiedit or use ldifde and import it

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

I'm going to try and fire up a new lab this weekend to test again.  I have a lab at work I can use now but don't like doing that for stuff like this.

Thanks

Mike
0
 
compdigit44Author Commented:
????
I have following this article step-by-step and no luck

I see my PSO listed on the attrubutes for the user but when I run the RSOP MMC on the client PC whe nthe user logs in I see it the Default domain policy applied

yet I can change the PWD to that of the PSO ..

This is very messed up

please help I need to have this in place by the end of this week
0
 
compdigit44Author Commented:
mkline71 - - -I was wondering if you have any thoughts on this

Please help ANYONE !!!!!!!
0
 
compdigit44Author Commented:
I see what I was doing wrong...

My fine grain PWD was working but the reason why I wasn't see the PSO setting in the RSOP MMC is becuase the RSOP only shows GP setting...

hahaha After all this.. Well at least I know now
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 20
  • 11
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now