• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 377
  • Last Modified:

changing PSWD compllexity domain 2008

I have domain called: addc.com
I have created new organizational unit called test.
When I create new user inside this OU, the windows always asks me for a password that meets password complexity and length.
I want to able to change the password to 123 for example, not to complex password only inside this OU, and do not affect all other OUs in the domain. How can I do it?


  • 6
  • 4
  • 2
  • +4
1 Solution
You need to create a group policy applied within that OU .

On your DC, click the Start menu then enter "gpedit.msc" in the search box and press enter.

You will need to expand the tree until you find the OU you want to apply the policy to.

Right click that OU and create and link a new GPO.

In the new window, expand Computer Configuration -> Windows Settings -> Security Settings -> Account Policies then double-click Password Policy.

Find "Password must meet complexity requirements" and double-click it. Set it to disabled then click OK.

Close all the windows.

Click  the start menu and enter "gpupdate" then press enter. You should then be able to set the password to whatever you like via ADUC under that OU.
SandeshdubeySenior Server EngineerCommented:
In windows 2008  Fine Grained Password Policy has been introduced wherein you can have multiple password poliy.

Reference link:
Your domain needs to be at the 2008 level or higher. I just implemented fine grained policies myself and found the free Specops Password Policy to be much easier than trying the use the Microsoft method of ADSIedit.

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Don't forget to enable the block inhertance to avoid your GP being over riden by the default domain policy because if there is a conflict of GP, the default domain policy which sit on the top of the root domain will always win, hence will over ride any policy below it.
Changing Default Password Policy
1. Log in as Administrator to the Domain Controller.
2. Click Start ¿Programs ¿Administrative Tools ¿Group Policy Management Console.
3. Expand Forest ¿Expand Domains ¿Expand Microsoft.com ¿Right click Default Domain Policy and select Edit.
Windows Server 2008 - System Administration
4. Expand Computer Configuration ¿Expand Policies ¿Expand Windows Settings ¿Expand Security Settings ¿Expand Account Policies ¿Open Password Policy.
5. Double click Minimum Password Length.
Windows Server 2008 - System Administration
6. Change the length value from (7 to 0) and click Apply and OK.
7. Double click Password must meet complexity Requirements.
Windows Server 2008 - System Administration
8. Select Disabled and Apply and OK.
9. Click Start ¿Run and Type GPUPDATE and It refreshes the policy changes.
1. Go to Active Directory Users and Computers and Create a User with any Password or without any Password.
reoromanAuthor Commented:
I did as Sandeshdubey said,
 In windows 2008 Fine Grained Password Policy has been introduced wherein you can have multiple password policy.

But still domain asks me that Password must meet complexity requirements. I want it to ask me Password must meet complexity requirements on the whole domain, but not in some OU I want to create...

Example: I create OU named: test. When i want to add new user it asks me for Password must meet complexity requirements. I want it precisely in this OU not to ask me to. How I can do it?
SandeshdubeySenior Server EngineerCommented:
In windows 2008 you can create different password policy using groups not OU.
You can use fine-grained password policy in windows 2008, but you can't use it as OU level segregation.

To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

Here are some reference materials:

Here some additional links you can reference for Password Policy settings and troubleshooting...
How to Implement an Active Directory Password Policy
How Troubleshoot Active Directory Password Policy Settings

Hope this helps:

When you create a user, it gets the default domain policy, so password complexity is required at that time. Once you add it to the security group with the different password policy, the new password policy will take effect.

So, create new user with complex temporary password.
Add user to security group assigned with the weaker password policy.
Reset the password to a weaker one.
reoromanAuthor Commented:
This is good explanation.
I did fine-grained password and I link it to security group, then I create new user with complex password, then I add him to the new security group, then I changed the password to easy one but it did not work. I think I am doing something wrong! Help!
Install Specopc password policy tool to your DC.

It will connect to Active Directory and help you change password policy easily, such as complexity, length ...etc.

The free version of this software is enough for you.

I guess thats what you need. GL
Try Password Policy from http://www.specopssoft.com/products/specops-password-policy . The GUI makes it super easy.
reoromanAuthor Commented:
Thank you for Specopc password policy tool, but I do not want to use third party software.
This is my scenario and I hope someone can help me to finish this task:

In the active directory users and computers I have created OU named test, what I need is to make policy applied only on this OU so I can make users inside this OU have password less secure than the default one which is already on the default domain policy.
In the group policy management I can see the OU test and right click on it, choose: create a GPO in this domain, and link it here…
As you know if I change the password policy in the default domain policy to not meet complexity requirements and put the minimum password length to any number I need that would be very easy and it is not recommended by Microsoft to change the default domain policy, it is better to create new one and link it to that OU, but when I create new GPO and edit it I see it all not defined, which make no sense to modify just one policy that I need, I think there should be more work to do?? I do not know what it is!!
Even if I change only the password and link it to the test OU, nothing will work, and even if block inheritance, the same thing, nothing will happen.
I also create new security Group - global in the root of the domain and using ADSI I implemented fine grained policies, http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx I did as it says, but also nothing happed.
Still default domain policy in charge and I cannot do my changes.
Any help??

The third party software only provides a better UI to make the changes to AD. The end result is the same either way. Direct editing of the AD database is certainly the hard way.

Fine grained Password Policies can not be implemented via GPO. As the documentation as most of the experts have already stated, GPO is not the way to go. You need to use security groups only in conjunction with fine grained password policies. I suggest you delete the GPO and try your fine grained password policy again using the steps (or use the software, which is easier).
Password policies can be change in the Schema

You have to Raise Domain Functional Level to Windows 2008
BE CAREFUL this is irreversible change.

Then ADSIedit will be tool for this.

Domain>System>Password Settings>Create New Object>msDS-PasswordSettings

This wizard is used for complexity and length...etc change.

Then in normal Server Manager, set View to Advanced Features
Now you can choose System>PasswordSettings here you can see the passeordsettings object you made before.
Dubleclick on it, choose Attribute editor, scroll down to msDS-PSAppliesTo, and here you can add users and groups which will use your Password Settings Object.

I hope i was clear, and I helped
reoromanAuthor Commented:
to kevinhsieh
I suggest you delete the GPO and try your fine grained password policy again using the steps

I did that nothing works, can you please explain more....
reoromanAuthor Commented:
i love you Solon84   it works.... thanks
reoromanAuthor Commented:
thanks ,,,,,,,,,,,,, wowo yohoooooooooooooo
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 6
  • 4
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now