Solved

Fine Grained Password policy (FGPP) complexity notification issues

Posted on 2011-09-25
10
1,357 Views
Last Modified: 2012-05-12
Hi, we are running a single 2008 domain and currently testing fine grained password policies.

These are working as expected with the exception of the notification that the end user receives when the password complexity is not met.  The message displays settings in what I believe is the default domain group policy password complexity settings as opposed to what’s defined in the FGPP.

We are also evaluating the Managed Engine AD Self-service software allowing users to change passwords and unlock their user accounts, the current password complexity settings are also being incorrectly published to this application.  

This is what we currently receive, these settings were configured in the default domain policy but have now been set to "not defined".

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled



We would like to have the relevant FGPP settings populating these requirements as much as possible; any help would be much appreciated.

I have also ensured that no other group policies have any account policy’s configured.

Thanks
0
Comment
Question by:bluestarit
  • 5
  • 4
10 Comments
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 36597458
Have you run RSOP on a client to see which policy is taking precedence?  If the domain policy is set to "enforce", then it will override policies lower down the hierarchy that conflict.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36600749
Just to make your way short, disable the link of Default domain policy & see if you get the desired behavior.
If you get it, then you first check if the default policy is "Enforced". If yes, then don't enforce it.
Once you have that, make sure you have your computer in a Separate OU & Block Inheritance & link your desired policy there.

I won't suggest deleting the Default Domain Policy, but depending upon what you have there you can make your decision of keeping the link enabled or disabled.

A
0
 

Author Comment

by:bluestarit
ID: 36705515
Thanks the replies, the default domain policy links have been removed from all OU’s. We have also disabled all settings in this policy.

We have Run RSOP and the default domain policy doesn’t apply at all,  as stated earlier there are no other policies with password configured so could this be cached somewhere?

The password complexity still displays;

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled

Are there any other ways for the user to receive the password complexity settings requirements defined in the FGPP as opposed to what was once configured in the default domain policy.

Thanks
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36707618
If you have nothing configured then this was the last applied, unless you define otherwise.
Please just try one setting in your FGPP & see if you get it applied?
Don't forget to run either gpupdate /force or logoff
0
 

Author Comment

by:bluestarit
ID: 36714596
The FGPP settings are configured and working exactly as expected, like you said the setting must be applying from the existing domain policy.

Gpupdate doesn’t help as the FGPP settings are defined as an attribute in the users AD account.  It’s looking like this is simply a limitation our friends at MS have overlooked.  

Here are some screen shots showing the notification in XP as opposed to Win 7, clearly Win 7 doesn’t reference the existing domain policy settings.

XP notification
Win7 notification
FGG settings are far more comprehensive than what’s available in group policy so I suspect these settings can’t be displayed under XP, as you can see from the screen shots Win doesn’t seem to display in policy settings if the user fails to meet the complexity.
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 11

Expert Comment

by:Ackles
ID: 36714619
Di you put it in new OU & restart the machine?
I just want to reach you the point when Default policy doesn't apply & then you can define your own
0
 
LVL 11

Accepted Solution

by:
Ackles earned 250 total points
ID: 36714666
Maybe, it's a good idea to define a FGG of your own, so that you can define tour own attribute.
0
 

Author Comment

by:bluestarit
ID: 36714754
The FGPP policy is applied to a user group which contains some test users. I have run the RSOP and determined that no group policy stings are applying to these users or workstations.

FGPP don’t rely on group policy, these are part of the user or group attributes so I have ruled out group policy issues.  But I do however think the domain has cached these settings somewhere.  It only is an issue with XP.

Looks like MS abandoned the complexity setting notification in Win 7 for the same reason.  Still it would be nice if the user received this notification other than the IT department emailing everyone the complexity settings.

I don’t think this is resolvable so I will award the points to you Ackles

Thanks
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36714766
Thanks.
0
 

Author Closing Comment

by:bluestarit
ID: 36714769
Not quite resolved due to inadequacies of the system .
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now