Solved

Fine Grained Password policy (FGPP) complexity notification issues

Posted on 2011-09-25
10
1,400 Views
Last Modified: 2012-05-12
Hi, we are running a single 2008 domain and currently testing fine grained password policies.

These are working as expected with the exception of the notification that the end user receives when the password complexity is not met.  The message displays settings in what I believe is the default domain group policy password complexity settings as opposed to what’s defined in the FGPP.

We are also evaluating the Managed Engine AD Self-service software allowing users to change passwords and unlock their user accounts, the current password complexity settings are also being incorrectly published to this application.  

This is what we currently receive, these settings were configured in the default domain policy but have now been set to "not defined".

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled



We would like to have the relevant FGPP settings populating these requirements as much as possible; any help would be much appreciated.

I have also ensured that no other group policies have any account policy’s configured.

Thanks
0
Comment
Question by:bluestarit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36597458
Have you run RSOP on a client to see which policy is taking precedence?  If the domain policy is set to "enforce", then it will override policies lower down the hierarchy that conflict.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36600749
Just to make your way short, disable the link of Default domain policy & see if you get the desired behavior.
If you get it, then you first check if the default policy is "Enforced". If yes, then don't enforce it.
Once you have that, make sure you have your computer in a Separate OU & Block Inheritance & link your desired policy there.

I won't suggest deleting the Default Domain Policy, but depending upon what you have there you can make your decision of keeping the link enabled or disabled.

A
0
 

Author Comment

by:bluestarit
ID: 36705515
Thanks the replies, the default domain policy links have been removed from all OU’s. We have also disabled all settings in this policy.

We have Run RSOP and the default domain policy doesn’t apply at all,  as stated earlier there are no other policies with password configured so could this be cached somewhere?

The password complexity still displays;

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled

Are there any other ways for the user to receive the password complexity settings requirements defined in the FGPP as opposed to what was once configured in the default domain policy.

Thanks
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 11

Expert Comment

by:Ackles
ID: 36707618
If you have nothing configured then this was the last applied, unless you define otherwise.
Please just try one setting in your FGPP & see if you get it applied?
Don't forget to run either gpupdate /force or logoff
0
 

Author Comment

by:bluestarit
ID: 36714596
The FGPP settings are configured and working exactly as expected, like you said the setting must be applying from the existing domain policy.

Gpupdate doesn’t help as the FGPP settings are defined as an attribute in the users AD account.  It’s looking like this is simply a limitation our friends at MS have overlooked.  

Here are some screen shots showing the notification in XP as opposed to Win 7, clearly Win 7 doesn’t reference the existing domain policy settings.

XP notification
Win7 notification
FGG settings are far more comprehensive than what’s available in group policy so I suspect these settings can’t be displayed under XP, as you can see from the screen shots Win doesn’t seem to display in policy settings if the user fails to meet the complexity.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36714619
Di you put it in new OU & restart the machine?
I just want to reach you the point when Default policy doesn't apply & then you can define your own
0
 
LVL 11

Accepted Solution

by:
Ackles earned 250 total points
ID: 36714666
Maybe, it's a good idea to define a FGG of your own, so that you can define tour own attribute.
0
 

Author Comment

by:bluestarit
ID: 36714754
The FGPP policy is applied to a user group which contains some test users. I have run the RSOP and determined that no group policy stings are applying to these users or workstations.

FGPP don’t rely on group policy, these are part of the user or group attributes so I have ruled out group policy issues.  But I do however think the domain has cached these settings somewhere.  It only is an issue with XP.

Looks like MS abandoned the complexity setting notification in Win 7 for the same reason.  Still it would be nice if the user received this notification other than the IT department emailing everyone the complexity settings.

I don’t think this is resolvable so I will award the points to you Ackles

Thanks
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36714766
Thanks.
0
 

Author Closing Comment

by:bluestarit
ID: 36714769
Not quite resolved due to inadequacies of the system .
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question