Solved

Default domain policy unlinked accidentally -- damage control

Posted on 2010-09-01
5
1,186 Views
Last Modified: 2013-11-25
Hello Experts,

One of the system admins in the enterprise unlinked the default domain policy that controls how many passwords are remembered, password complexity, etc...   It was turned off for almost 30 days, and was just turned back on yesterday.  

I was asked to perform damage control and let the enterprise manager know what impact this will have on the environment.  Will the AD "forget" previous passwords?

Please see the settings of the GPO and let me know your thoughts, I just copied and pasted the output, so it's a bit difficult to read, sorry & thanks!
Group Policy Management
Default Domain Policy
Data collected on: 9/1/2010 9:25:58 AM hide all

Created 1/26/2006 8:49:12 AM
Modified 8/31/2010 5:36:20 PM
User Revisions 35 (AD), 35 (sysvol)
Computer Revisions 104 (AD), 104 (sysvol)
Unique ID
GPO Status Enabled

Location Enforced Link Status Path

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
XXX\Domain Admins Edit settings, delete, modify security No
XXX\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 180 days
Minimum password age 0 days
Minimum password length 10 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes

Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes

Local Policies/Security Optionshide
Network Securityhide
Policy Setting
Network security: Force logoff when logon hours expire Disabled

Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
 

Public Key Policies/Encrypting File Systemhide
Propertieshide
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled

Certificateshide
Issued To Issued By Expiration Date Intended Purposes

For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

Administrative Templateshide
Windows Components/Windows Updatehide
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  0 - Every day
Scheduled install time: 03:00
 
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://updateserver.xxx.edu
Set the intranet statistics server: http://updateserver.xxx.edu
(example: http://IntranetUpd01)
 

User Configuration (Enabled)hide
Windows Settingshide
Remote Installation Serviceshide
Client Installation Wizard optionshide
Policy Setting
Custom Setup Disabled
Restart Setup Disabled
Tools Disabled

Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
 

Internet Explorer Maintenancehide
Security/Security Zones and Content Ratingshide
Security Zones and Privacy (Enhanced Security Configuration Enabled)hide
These settings will only apply to users when they log on to computers that have the Internet Explorer Enhanced Security Configuration enabled.Internet (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
DownloadsFile download Disable
Font download Prompt
Microsoft VMJava permissions Disable Java
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Disable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching applications and unsafe files Prompt
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Disable
ScriptingActive scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
User AuthenticationLogon Prompt for user name and password

Local intranet (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions Medium safety
MiscellaneousAccess data sources across domains Prompt
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Enable
Drag and drop or copy and paste files Enable
Installation of desktop items Prompt
Launching applications and unsafe files Enable
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Enable
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Include all local (intranet) sites not listed in other zones Disabled
Include all sites that bypass the proxy server Disabled
Include all network paths (UNCs) Disabled
Sites in this zone
hcp:////system/
http://localhost/
https://localhost/

Trusted sites (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions High safety
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Enable
Installation of desktop items Prompt
Launching applications and unsafe files Prompt
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Enable
Software channel permissions Medium safety
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Enable
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Sites in this zone
about://*.security_mmc.exe/
http://*.update.microsoft.com/
http://*.windowsupdate.com/
http://*.windowsupdate.microsoft.com/
http://go.microsoft.com/
http://msdn.microsoft.com/
http://oca.microsoft.com/
http://support.microsoft.com/
http://technet.microsoft.com/
http://windowsupdate.microsoft.com/
http://www.microsoft.com/
https://*.update.microsoft.com/
https://*.windowsupdate.microsoft.com/
https://oca.microsoft.com/
https://windowsupdate.microsoft.com/

Restricted sites (Security Level: Custom)hide
.NET Framework-reliant componentsRun components not signed with Authenticode Disable
Run components signed with Authenticode Disable
ActiveX controls and plug-insDownload signed ActiveX controls Disable
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Disable
Script ActiveX controls marked safe for scripting Disable
DownloadsFile download Disable
Font download Prompt
Microsoft VMJava permissions Disable Java
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Disable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Prompt
Installation of desktop items Disable
Launching applications and unsafe files Disable
Launching programs and files in an IFRAME Disable
Navigate sub-frames across different domains Disable
Software channel permissions High safety
Submit nonencrypted form data Prompt
Userdata persistence Disable
ScriptingActive scripting Disable
Allow paste operations via script Disable
Scripting of Java applets Disable
User AuthenticationLogon Prompt for user name and password
SitesSites in this zone
None

Privacyhide
Privacy Level Medium
Web Sites
Always allow None
Always block None
 

0
Comment
Question by:taki1gostek
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:talkinsmak
ID: 33577809
It will start over, so yes, it will forget previous passwords.  One way around this is to change the complexity requirement to be more complex or require 1 additional character.  Then the old passwords won't work.
 
John
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33577954
So what you're saying is that if a couple of users reset their passwords, or created new ones, and the complexity wasn't in effect, when they attempt to log in now that the policy is linked, they will be asked to change their password to match the requirements?

Also -- we have deployed two factor authentication using Alladin Etoken -- it worked prior to the default policy being unlinked, continued to work while the policy was unlinked, but when it was relinked yesterday, now logging in with the usb etoken key no longer works.
0
 
LVL 5

Accepted Solution

by:
talkinsmak earned 500 total points
ID: 33578444
Not sure about the token.  We are just starting with RSA key fobs at our location.  As for the requirement to change the password now that it is linked, I don't think it will prompt them until it expires.
Technically they have a password already and it did meet requirements when they set it.
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33598120
Thanks talkin
0
 
LVL 5

Expert Comment

by:talkinsmak
ID: 33598185
Your welcome.  Hope it all worked out.
0

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now