• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1454
  • Last Modified:

Fine Grained Password policy (FGPP) complexity notification issues

Hi, we are running a single 2008 domain and currently testing fine grained password policies.

These are working as expected with the exception of the notification that the end user receives when the password complexity is not met.  The message displays settings in what I believe is the default domain group policy password complexity settings as opposed to what’s defined in the FGPP.

We are also evaluating the Managed Engine AD Self-service software allowing users to change passwords and unlock their user accounts, the current password complexity settings are also being incorrectly published to this application.  

This is what we currently receive, these settings were configured in the default domain policy but have now been set to "not defined".

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled



We would like to have the relevant FGPP settings populating these requirements as much as possible; any help would be much appreciated.

I have also ensured that no other group policies have any account policy’s configured.

Thanks
0
bluestarit
Asked:
bluestarit
  • 5
  • 4
1 Solution
 
Chev_PCNCommented:
Have you run RSOP on a client to see which policy is taking precedence?  If the domain policy is set to "enforce", then it will override policies lower down the hierarchy that conflict.
0
 
AcklesCommented:
Just to make your way short, disable the link of Default domain policy & see if you get the desired behavior.
If you get it, then you first check if the default policy is "Enforced". If yes, then don't enforce it.
Once you have that, make sure you have your computer in a Separate OU & Block Inheritance & link your desired policy there.

I won't suggest deleting the Default Domain Policy, but depending upon what you have there you can make your decision of keeping the link enabled or disabled.

A
0
 
bluestaritAuthor Commented:
Thanks the replies, the default domain policy links have been removed from all OU’s. We have also disabled all settings in this policy.

We have Run RSOP and the default domain policy doesn’t apply at all,  as stated earlier there are no other policies with password configured so could this be cached somewhere?

The password complexity still displays;

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled

Are there any other ways for the user to receive the password complexity settings requirements defined in the FGPP as opposed to what was once configured in the default domain policy.

Thanks
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
AcklesCommented:
If you have nothing configured then this was the last applied, unless you define otherwise.
Please just try one setting in your FGPP & see if you get it applied?
Don't forget to run either gpupdate /force or logoff
0
 
bluestaritAuthor Commented:
The FGPP settings are configured and working exactly as expected, like you said the setting must be applying from the existing domain policy.

Gpupdate doesn’t help as the FGPP settings are defined as an attribute in the users AD account.  It’s looking like this is simply a limitation our friends at MS have overlooked.  

Here are some screen shots showing the notification in XP as opposed to Win 7, clearly Win 7 doesn’t reference the existing domain policy settings.

XP notification
Win7 notification
FGG settings are far more comprehensive than what’s available in group policy so I suspect these settings can’t be displayed under XP, as you can see from the screen shots Win doesn’t seem to display in policy settings if the user fails to meet the complexity.
0
 
AcklesCommented:
Di you put it in new OU & restart the machine?
I just want to reach you the point when Default policy doesn't apply & then you can define your own
0
 
AcklesCommented:
Maybe, it's a good idea to define a FGG of your own, so that you can define tour own attribute.
0
 
bluestaritAuthor Commented:
The FGPP policy is applied to a user group which contains some test users. I have run the RSOP and determined that no group policy stings are applying to these users or workstations.

FGPP don’t rely on group policy, these are part of the user or group attributes so I have ruled out group policy issues.  But I do however think the domain has cached these settings somewhere.  It only is an issue with XP.

Looks like MS abandoned the complexity setting notification in Win 7 for the same reason.  Still it would be nice if the user received this notification other than the IT department emailing everyone the complexity settings.

I don’t think this is resolvable so I will award the points to you Ackles

Thanks
0
 
AcklesCommented:
Thanks.
0
 
bluestaritAuthor Commented:
Not quite resolved due to inadequacies of the system .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now