Link to home
Start Free TrialLog in
Avatar of bluestarit
bluestarit

asked on

Fine Grained Password policy (FGPP) complexity notification issues

Hi, we are running a single 2008 domain and currently testing fine grained password policies.

These are working as expected with the exception of the notification that the end user receives when the password complexity is not met.  The message displays settings in what I believe is the default domain group policy password complexity settings as opposed to what’s defined in the FGPP.

We are also evaluating the Managed Engine AD Self-service software allowing users to change passwords and unlock their user accounts, the current password complexity settings are also being incorrectly published to this application.  

This is what we currently receive, these settings were configured in the default domain policy but have now been set to "not defined".

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled



We would like to have the relevant FGPP settings populating these requirements as much as possible; any help would be much appreciated.

I have also ensured that no other group policies have any account policy’s configured.

Thanks
Avatar of Chev_PCN
Chev_PCN
Flag of South Africa image

Have you run RSOP on a client to see which policy is taking precedence?  If the domain policy is set to "enforce", then it will override policies lower down the hierarchy that conflict.
Just to make your way short, disable the link of Default domain policy & see if you get the desired behavior.
If you get it, then you first check if the default policy is "Enforced". If yes, then don't enforce it.
Once you have that, make sure you have your computer in a Separate OU & Block Inheritance & link your desired policy there.

I won't suggest deleting the Default Domain Policy, but depending upon what you have there you can make your decision of keeping the link enabled or disabled.

A
Avatar of bluestarit
bluestarit

ASKER

Thanks the replies, the default domain policy links have been removed from all OU’s. We have also disabled all settings in this policy.

We have Run RSOP and the default domain policy doesn’t apply at all,  as stated earlier there are no other policies with password configured so could this be cached somewhere?

The password complexity still displays;

      Domain Password Policy Requirements
      The minimum password age is 0
      The maximum password age is 0
      The minimum password length is 0
      No. of Password Remembered is 0
      The password complexity property is Disabled

Are there any other ways for the user to receive the password complexity settings requirements defined in the FGPP as opposed to what was once configured in the default domain policy.

Thanks
If you have nothing configured then this was the last applied, unless you define otherwise.
Please just try one setting in your FGPP & see if you get it applied?
Don't forget to run either gpupdate /force or logoff
The FGPP settings are configured and working exactly as expected, like you said the setting must be applying from the existing domain policy.

Gpupdate doesn’t help as the FGPP settings are defined as an attribute in the users AD account.  It’s looking like this is simply a limitation our friends at MS have overlooked.  

Here are some screen shots showing the notification in XP as opposed to Win 7, clearly Win 7 doesn’t reference the existing domain policy settings.

User generated image
User generated image
FGG settings are far more comprehensive than what’s available in group policy so I suspect these settings can’t be displayed under XP, as you can see from the screen shots Win doesn’t seem to display in policy settings if the user fails to meet the complexity.
Di you put it in new OU & restart the machine?
I just want to reach you the point when Default policy doesn't apply & then you can define your own
ASKER CERTIFIED SOLUTION
Avatar of Ackles
Ackles
Flag of Switzerland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The FGPP policy is applied to a user group which contains some test users. I have run the RSOP and determined that no group policy stings are applying to these users or workstations.

FGPP don’t rely on group policy, these are part of the user or group attributes so I have ruled out group policy issues.  But I do however think the domain has cached these settings somewhere.  It only is an issue with XP.

Looks like MS abandoned the complexity setting notification in Win 7 for the same reason.  Still it would be nice if the user received this notification other than the IT department emailing everyone the complexity settings.

I don’t think this is resolvable so I will award the points to you Ackles

Thanks
Thanks.
Not quite resolved due to inadequacies of the system .