Solved

Fine Grained Password policy (FGPP) complexity notification issues

Posted on 2011-09-25
10
1,384 Views
Last Modified: 2012-05-12
Hi, we are running a single 2008 domain and currently testing fine grained password policies.

These are working as expected with the exception of the notification that the end user receives when the password complexity is not met.  The message displays settings in what I believe is the default domain group policy password complexity settings as opposed to what’s defined in the FGPP.

We are also evaluating the Managed Engine AD Self-service software allowing users to change passwords and unlock their user accounts, the current password complexity settings are also being incorrectly published to this application.  

This is what we currently receive, these settings were configured in the default domain policy but have now been set to "not defined".

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled



We would like to have the relevant FGPP settings populating these requirements as much as possible; any help would be much appreciated.

I have also ensured that no other group policies have any account policy’s configured.

Thanks
0
Comment
Question by:bluestarit
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36597458
Have you run RSOP on a client to see which policy is taking precedence?  If the domain policy is set to "enforce", then it will override policies lower down the hierarchy that conflict.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36600749
Just to make your way short, disable the link of Default domain policy & see if you get the desired behavior.
If you get it, then you first check if the default policy is "Enforced". If yes, then don't enforce it.
Once you have that, make sure you have your computer in a Separate OU & Block Inheritance & link your desired policy there.

I won't suggest deleting the Default Domain Policy, but depending upon what you have there you can make your decision of keeping the link enabled or disabled.

A
0
 

Author Comment

by:bluestarit
ID: 36705515
Thanks the replies, the default domain policy links have been removed from all OU’s. We have also disabled all settings in this policy.

We have Run RSOP and the default domain policy doesn’t apply at all,  as stated earlier there are no other policies with password configured so could this be cached somewhere?

The password complexity still displays;

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled

Are there any other ways for the user to receive the password complexity settings requirements defined in the FGPP as opposed to what was once configured in the default domain policy.

Thanks
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Expert Comment

by:Ackles
ID: 36707618
If you have nothing configured then this was the last applied, unless you define otherwise.
Please just try one setting in your FGPP & see if you get it applied?
Don't forget to run either gpupdate /force or logoff
0
 

Author Comment

by:bluestarit
ID: 36714596
The FGPP settings are configured and working exactly as expected, like you said the setting must be applying from the existing domain policy.

Gpupdate doesn’t help as the FGPP settings are defined as an attribute in the users AD account.  It’s looking like this is simply a limitation our friends at MS have overlooked.  

Here are some screen shots showing the notification in XP as opposed to Win 7, clearly Win 7 doesn’t reference the existing domain policy settings.

XP notification
Win7 notification
FGG settings are far more comprehensive than what’s available in group policy so I suspect these settings can’t be displayed under XP, as you can see from the screen shots Win doesn’t seem to display in policy settings if the user fails to meet the complexity.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36714619
Di you put it in new OU & restart the machine?
I just want to reach you the point when Default policy doesn't apply & then you can define your own
0
 
LVL 11

Accepted Solution

by:
Ackles earned 250 total points
ID: 36714666
Maybe, it's a good idea to define a FGG of your own, so that you can define tour own attribute.
0
 

Author Comment

by:bluestarit
ID: 36714754
The FGPP policy is applied to a user group which contains some test users. I have run the RSOP and determined that no group policy stings are applying to these users or workstations.

FGPP don’t rely on group policy, these are part of the user or group attributes so I have ruled out group policy issues.  But I do however think the domain has cached these settings somewhere.  It only is an issue with XP.

Looks like MS abandoned the complexity setting notification in Win 7 for the same reason.  Still it would be nice if the user received this notification other than the IT department emailing everyone the complexity settings.

I don’t think this is resolvable so I will award the points to you Ackles

Thanks
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36714766
Thanks.
0
 

Author Closing Comment

by:bluestarit
ID: 36714769
Not quite resolved due to inadequacies of the system .
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question