Solved

WIndows 2008 Fine Grain Password Policy not working

Posted on 2010-08-24
39
1,416 Views
Last Modified: 2012-05-10
I followed the Microsoft TechNet article on how to create a Fine Grain Password polciy and assigned it to a global group. When I log in with one of the user who are a member of this group and and change the password. There account is not processing the new fine grain policy but the default domai policy??

Please help
0
Comment
Question by:compdigit44
  • 20
  • 11
  • 4
  • +1
39 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33514835
When you used the step by step guide

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

If you go to step 4 to view the resultant PSO does it show the password

is your domain functional level set to 2008

on another note specops makes a decent GUI tool you can also test in the lab
http://www.specopssoft.com/web/specops-password-policy-basic-documentation.aspx

Thanks
Mike
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33514844
It is probably linked to a GPO priority issue.

http://www.markwilson.co.uk/blog/2004/09/priority-order-for-application-of-gpos.htm
http://technet.microsoft.com/en-us/library/cc784268%28WS.10%29.aspx#w2k3tr_gp_how_rbme

Also, remember that anything which is enforced takes priority over anything linked or enabled.

Justin

0
 
LVL 19

Author Comment

by:compdigit44
ID: 33521800
I have tried all items suggested and my default domain policy password policy is still being applied to my test group instead of my fine-grain pwd policy. I have even set the password precedence order to 1 and no go
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33524652
Would it be better for me to zero out all of my password settings in my default domain policy then create two seperate fine grain pwd?

0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33526083
Your default domain policy is going to normally take precedence over anything else.  Honestly, it is a bad idea to modify it at all.  It is better to create new policies which can be more precisely applied.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33526770
how can I get me default domain and fine gain pwd work to work together so should I create two fine grain policies
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33526982
Sounds like you are doing everything right and if you look at the comments on this DS blog it is what you are doing

http://blogs.technet.com/b/askds/archive/2009/05/19/understanding-password-policies.aspx

I had it setup in a lab at work but that lab is down and I won't have time to test it again this week.

Look through Florian's good two part series...just to double check your work

http://www.frickelsoft.net/blog/?p=54
http://www.frickelsoft.net/blog/?p=57

Thanks

Mike
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33530011
Thank for the links..

For my own knownledge with 2008 is it better to set the password policy via default domain group policiy or fine grain password policies
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33530653
NO luck my my users who are should be processing the PSO are processing the default domain policy pwd policy..

I have check my PSO mulitple time and everything this is correct???
I have tried placing the global group which my member are a part if in an OU , Users contain etc.. no luck
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33531140
Can you run RSoP on one of your users who should be getting the policies but isn't and post that here?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33531440
When I run the RSop from the client test workstation it is showing all of the PWD seeting for the default domain policy..
Since the account pwd????

I even tried to log onto the server with the user account tried to reset the pwd make those of the PSO and no luck...

What is going on???
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33532919
OK... Go to your GPO manager and go to the tab which shows what policies are in place for your user's OU.  Remember, this is a user policy, so it doesn't matter what OU the computer is in.  Take a screen shot and post it (clean it if you need to).  Let us know what policy has your new PW policy and where it falls in that list.

Justin
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33533219
There are no GP attached to my users's OU . The default domain policy is the only GP. I have even removed this default domain policy from the domain as a test and my test user is still processing the default domain policy some how...

I also noticed that when I do a gpresult /v it doesn't show my test user as a member of my test global group which is associate with my PSO this is very weird
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33533327
In your GPMC (Group Policy Management Console), highlight your user's OU  Look at the tab "Group Policy Inheritance".  You should see all GPOs there which would affect the OU.  That is the screen shot I would like to see.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33533361
NO GP are being inherited on the User OU which my users are located
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33533376
That is why your policy is not being applied.  Is your fine grain password policy properly linked and enforced?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33533439
I have check and my PSO is set to apply to my test group yet when I run RSOP is does show my PSO and processing ..

What else can I check this is driving me crazy..
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33533470
That is why I am asking for screen shots.  It would be easier to answer if we could "see" what you are seeing.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33533555
For security reasons I cannot take snapshots..
My domain function level is 2008 R2 also I tried to assign the PSO directy to a user acocunt and no go
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33533613
OK... Do this for me, then.  Create a new OU.  Link your password GPO to that OU.  Enforce it.  Create a test user.  Put that user in your new OU.  Log that user in.  Try to change the password and post the results.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33533680
The only GP I have is the default domain policy and my only password policy configured is my PSO???

0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33533922
Sorry... I missed you were using PSO rather than GPO.  That would be why you don't see it. :)  Let's try this instead:

Create a new Security Group in AD and put a test user in it.  Link your fine grain PSO to that group and make sure it has a Precedence of 1.  Have your test user log in and try to change the password.  Post results.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33534042
SHould I create eh new group within an OU or users container
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33534051
It shouldn't matter.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33534152
I created a new user and assigned my PSO directly to the user.  I removed my default domain policy and yet my user is still processing the old default domainsettings??

What the heck!!!!!11
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33545425
Question on best practices for PSO..

I have read the new mind set for 2008 PWD policy is the following

Create mulitple PSO for user accounts in your domain but make the default domain password policy the most restrive basically using it as a catch all incase a user account slips through ??? What does everyone think
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33545470
Where I am we have to have standards based on govt standards to strong passwords are enforced, 8 characters etc.
We would have that at the domain level and if we wanted more restrictive for service accounts for example then we would set a stronger PSO.
I can see arguments for either method
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33545503
I would not be the right person to ask about that for two reasons: 1) I don't believe in modifying the default domain policy at all and 2) I prefer to use gpo over pso.  Sorry.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33545570
with the default domain policy pwd settings are set at the Computer Config does this mean the password PWD is being applied to the computer account? If so, Should I remove the default authenticated users from the default domain policy and replace it with domain users?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33566891
Get PSOMGR from Joeware.net:  http://www.joeware.net/freetools/tools/psomgr/

and post the PSO objects using:  psomgr /view /pso

More examples: http://www.joeware.net/freetools/tools/psomgr/usage.htm
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33567326
i just found something VERY interestig....

I rebuild my PSo from scratch yet again and applied it to m y domain users group.
-I then ran a RSoP logged in as the users but ran the RSOP using "Run AD" under my test admin account
-The RSOP showed the PWD settings for my default domain policy :-(
-just for the heck okf it, I decied to TRY and chance my PWD from my XP test workstation and I alllowed me to set a PWD that was not complex and comformt the my PSo settings!!!

This is great but why is RSOP showing the default domain settings inset of the PSO? Is there any report nativel you can run to show which password settings are being applied to a user or group before they log in ..

Is there a RSOP for PSO??
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 250 total points
ID: 33567434
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33577767
I keep reading conflicting information on proper values for the password age, lock out duration etc..

using ADSIEDIT

So dosucments state you have to use I8 format both others say you need this for the LDAP editor only

Also, I see the PSo policy listed in the attribute for the users but not when I run the RSOP.msc for the user and computer??

Very confused
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33577851
adsiedit or use ldifde and import it

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

I'm going to try and fire up a new lab this weekend to test again.  I have a lab at work I can use now but don't like doing that for stuff like this.

Thanks

Mike
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33579669
????
I have following this article step-by-step and no luck

I see my PSO listed on the attrubutes for the user but when I run the RSOP MMC on the client PC whe nthe user logs in I see it the Default domain policy applied

yet I can change the PWD to that of the PSO ..

This is very messed up

please help I need to have this in place by the end of this week
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33599524
mkline71 - - -I was wondering if you have any thoughts on this

Please help ANYONE !!!!!!!
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33647490
I see what I was doing wrong...

My fine grain PWD was working but the reason why I wasn't see the PSO setting in the RSOP MMC is becuase the RSOP only shows GP setting...

hahaha After all this.. Well at least I know now
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now