Setting password restrictions in 2003 Group Policy
Hi
I look after a single Windows 2003 domain for our small office. Some time ago I edited the default domain policy using the Group Policy Management snap-in via my XP workstation to enforce a simple password policy. Domain passwords were set to expire after 90 days and to enforce new complexity rules but it's been over 90 days now and it hasn't kicked in. It's the first time I've had to tinker with group policies so I've probably done something dumb.
If I select Default Domain Policy under the domain's Group Policy Objects there are 4 tabs in the right hand screen. Under Scope our single domain is listed under Links and with both Enforced and Link Enabled listed as Yes. Under Security Filtering it states that the settings in this GPO apply to Authenticated Users and Domain USers. In the Details tab it states that the GPO status is Enabled. The Details tab doesn't appear to show anything relevant and in the Delegation tab it states the following permissions, none of which are inherited.
Authenticated Users - Read (from Security Filtering)
Domain Admins - Edit, delete, modify security
Domain Users - Read (from Security Filtering)
Enterprise Admins - Edit, delete, modify security
Enterprise Domain Controllers - Read
System - Edit, delete, modify security
If I right-click on the GPO or the link located under the domain name in the tree and go to View I get the Group Policy 'browser'. The bit I've edited is under Default Domain Policy--Computer Configuration--Windows Settings--Security Settings--Account Policies--Password Policy. I've set the following
Enforce password history - 3
Max password age - 90
Min password age - 30
Min password length - 7
Password must meet complexity requirements - Enabled
Store password using reversible encryption - Disabled
I don't know if I've provided enough information but I'd be grateful if someone with more experience in these things could point out where I've dropped a nut. If all appears well then I'd like to know why it hasn't woken up.
Thanks
I look after a single Windows 2003 domain for our small office. Some time ago I edited the default domain policy using the Group Policy Management snap-in via my XP workstation to enforce a simple password policy. Domain passwords were set to expire after 90 days and to enforce new complexity rules but it's been over 90 days now and it hasn't kicked in. It's the first time I've had to tinker with group policies so I've probably done something dumb.
If I select Default Domain Policy under the domain's Group Policy Objects there are 4 tabs in the right hand screen. Under Scope our single domain is listed under Links and with both Enforced and Link Enabled listed as Yes. Under Security Filtering it states that the settings in this GPO apply to Authenticated Users and Domain USers. In the Details tab it states that the GPO status is Enabled. The Details tab doesn't appear to show anything relevant and in the Delegation tab it states the following permissions, none of which are inherited.
Authenticated Users - Read (from Security Filtering)
Domain Admins - Edit, delete, modify security
Domain Users - Read (from Security Filtering)
Enterprise Admins - Edit, delete, modify security
Enterprise Domain Controllers - Read
System - Edit, delete, modify security
If I right-click on the GPO or the link located under the domain name in the tree and go to View I get the Group Policy 'browser'. The bit I've edited is under Default Domain Policy--Computer Configuration--Windows Settings--Security Settings--Account Policies--Password Policy. I've set the following
Enforce password history - 3
Max password age - 90
Min password age - 30
Min password length - 7
Password must meet complexity requirements - Enabled
Store password using reversible encryption - Disabled
I don't know if I've provided enough information but I'd be grateful if someone with more experience in these things could point out where I've dropped a nut. If all appears well then I'd like to know why it hasn't woken up.
Thanks
To edit the password GPO it's just scrolling down to the section where you went or just creating a new GPO and link it to the domain. To test if it is working just run gpupdate /force on a client machine. The policy that you applied are valid also for administrators so be careful to not loose the admin password. The enforce section is only if you use OUs or GPO hierarchy. In a basic setup what you did is fine
Thanks for the quick response. To get around the Admin problem and a couple other users whose passwords should be excluded from the policy, I've create a security group in AD Users & Computers called NoGPO and added those users in there. In the Group Policy browser I right clicked on the Default Domain Policy, gone to the Security tab, added the NoGPO group and clicked on Deny for Apply Group Policy. Is this the correct way to go about excluding those?
I'll use a test machine with a test domain user account and see what gpupdate /force comes up with.........
Thanks
I'll use a test machine with a test domain user account and see what gpupdate /force comes up with.........
Thanks
Curious - I realised I already had a dummy user account called Test in AD but I couldn't remember the password. I right clicked it to reset the password, input a new password and I was told that the new password doesn't meet the password policy requirements!! Could it be my maths is rusty and I'm being premature (wouldn't be the first time....)? I amended the policy around 5th August I think and I make today the 91st/92nd day and it was due to enforce a 90 day rule.
As advised I chose a guinea pig, ran the gpupdate /force and it claimed to have refreshed user and computer policies. I logged off and was able to login again with the same (should now be rejected) password.
I checked out the link provided and the Block Inheritance wasn't active - I'll try the command it states to run on the domain controller next.
Any idea why I couldn't put an invalid password on my test user but existing domain users aren't getting prompted?
I checked out the link provided and the Block Inheritance wasn't active - I'll try the command it states to run on the domain controller next.
Any idea why I couldn't put an invalid password on my test user but existing domain users aren't getting prompted?
I ran gpresult on a test PC using a valid domain user account with a password that should wake the policy up and didn't. Results are below - is there an obvious flaw?
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 04/11/2011 at 11:59:08
RSOP results for domain\myuser on TESTBOX : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: domain
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\myuser
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=TESTBOX,CN=Computers,DC
Last time Group Policy was applied: 04/11/2011 at 11:50:40
Group Policy was applied from: ourserver.domain.company.c
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
TESTBOX$
Domain Computers
USER SETTINGS
--------------
CN=myuser,CN=Users,DC=doma
Last time Group Policy was applied: 04/11/2011 at 11:58:38
Group Policy was applied from: ourserver.domain.company.c
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Accounts
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 04/11/2011 at 11:59:08
RSOP results for domain\myuser on TESTBOX : Logging Mode
--------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: domain
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\myuser
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=TESTBOX,CN=Computers,DC
Last time Group Policy was applied: 04/11/2011 at 11:50:40
Group Policy was applied from: ourserver.domain.company.c
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
TESTBOX$
Domain Computers
USER SETTINGS
--------------
CN=myuser,CN=Users,DC=doma
Last time Group Policy was applied: 04/11/2011 at 11:58:38
Group Policy was applied from: ourserver.domain.company.c
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
--------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Accounts
You Windows 2003 domain can only have a single password policy for ALL users. That means that all users will have the same complexity, length and lockout settings. You can of course set a password to never expire on an individual basis.
If you upgrade all of your domain controllers to Windows 2008 you can use fine grained password policies, which allow different groups of users to have different password policies applied.
If you upgrade all of your domain controllers to Windows 2008 you can use fine grained password policies, which allow different groups of users to have different password policies applied.
So putting some accounts in my NoGPO group and selecting the Deny flag as I mentioned won't work? It's a solution I've seen all over the web. Is there anything in the details I've provided so far that points to an error? I've been searching for a solution all day and lots of people seem to have the same problem - I need aspirin.
Thanks
Thanks
Your plan won't work, because there is no technology in Windows 2003 to allow it to work. You need Windows 2008.
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
The Windows Server® 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain. As a result, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains. Both options are costly for different reasons.
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
The Windows Server® 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain. As a result, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains. Both options are costly for different reasons.
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.
Thanks for the info.
We're not in a position to upgrade yet so I need to get something working on the existing 2003 domain. Right now I'd settle for removing the protected rights of the members in my NoGPO group and just applying the policy as I've specified in my post to all users but all the results of various tools indicate that the policy is active and in force on the workstations I've run RSOP on - it just isn't prompting for a password change when you logoff/logon and I've no idea why.
We're not in a position to upgrade yet so I need to get something working on the existing 2003 domain. Right now I'd settle for removing the protected rights of the members in my NoGPO group and just applying the policy as I've specified in my post to all users but all the results of various tools indicate that the policy is active and in force on the workstations I've run RSOP on - it just isn't prompting for a password change when you logoff/logon and I've no idea why.
The group police affects user accounts on the machines, but your domain accounts don't live on the machines, they are part of your Domain, which is controlled by the default domain policy. If you create a local machine account you will see that it is being controlled by your group policy (if you apply it to the OU containing the computers).
Sorry - I don't quite follow. I've run RSOP on my Xp workstation and the password policy it displays appears to be correct and it states it's getting it from the Default Domain Policy. Ditto when I run this on our lone DC. The first respondent seemed to think my method was OK - everything is in place as far as I can see but it just doesn't want to play. I've rebooted the DC just in case it needed a kick but that hasn't done anything (unless it takes a while).
I'd really appreciate any steps re things to check/verify or test the problem.
I'd really appreciate any steps re things to check/verify or test the problem.
The problem is that you are trying to do something that can not be done using a Windows 2003 domain controller. Read the link I posted. Look at the bold section. Microsoft wouldn't need to roll out a new feature in Windows 2008 if you could do it in 2003. If you are just trying to change your single domain password policy and that isn't working, then there is a real problem, but you can not have multiple password policies.
Maybe we have a crossed wire - like I said, I've taken out the NoGPO group so now I just want the new password policy defined in the Default Domain Policy applied to all domain users logging on to the domain. As it stands it isn't being applied at logon. However like I said in an earlier post, if I go in to AD Users & Computers and try to alter an account's password to something like 'password' it says I can't do it because of the policy restriction. So my question is really how can ADU&C moan about it but I can then go and login to a domain PC with an account that I also no to be in breach of policy but it lets me login OK?
I actually suspect that the password expiration date doesn't change until the password is changed. My reasoning is that the time when a password is set to expire is stored in AD. AD doesn't store the last time that the password was changed. Therefore, changing the domain password policy doesn't affect existing passwords, only new ones. If you want everyone to get the new password policy, force their passwoords to expire.
In reviewing your default domain password policy, you set the minimun password age to be 30 days, which means that if you reset a user's password AND force them to change it when they logon, they can't change their password because they won't be able to do it for 30 days. I suggest you set the minimum password age to 0, and the password history to 24. That seems to be a good deterrent to preventing people from recycling passwords.
In reviewing your default domain password policy, you set the minimun password age to be 30 days, which means that if you reset a user's password AND force them to change it when they logon, they can't change their password because they won't be able to do it for 30 days. I suggest you set the minimum password age to 0, and the password history to 24. That seems to be a good deterrent to preventing people from recycling passwords.
Thanks for that - it makes sense although to my mind it's a bit of a flaw in applying such a policy. What would you do if you had 1000s of users?? Luckily we're only a small company so it's not much trouble for me to go and mark 10-20 accounts so that the user must change their password next time they logon. I shan't be resetting the passwords - just forcing them to change it at next logon (and hopefully the new policy will then kick in) so I take it my existing value for min password age would hold good? I'll try it out and report back.
Cheers
Cheers
This is one of the great improvements of windows 2008, fine-grained password policies. also the domain functional level with the forest level has to be reised. Windows 2003 allows only one password policy at the domain level, so it doesn't work if you create different GPOs on multiple OUs
Well it seems to have worked, kind of. My users did indeed get prompted to change passwords and the complexity rule was in operation. However, given the group policy's reluctance to work until we kicked it like this I'm not confident that things like the 'expire after 90 days' is now in force. An upgrade to 2008 isn't possible at the moment so I need to be sure this is working on 2003. For the members of my NoGPO group whose passwords I wanted to be exempt all I've done is remove that group and made sure I didn't set those accounts to require a password change at next logon. If they ever do need a password change for whatever reason then I guess they'll get pestered by the new complexity rule and from what you've said I take it that with 2003 there is no way to isolate these accounts?
I'm still curious as to how much larger companies using 2003 get this working i.e. does some poor so-and-so draw the short straw and spend hours in AD setting all the accounts to require a password change at next logon?!?
I'm still curious as to how much larger companies using 2003 get this working i.e. does some poor so-and-so draw the short straw and spend hours in AD setting all the accounts to require a password change at next logon?!?
If you have reasonable password policies setup to begin with, this isn't much of a challenge. The default password policy is to change every 42 days I believe, so in 42 days everyone has the new password policy applied. If you set the default policy to not require a password change for 5 years, then you have a problem.
You can multiselect users via search or browsing and then change the must change password property for all select users at once, instead of doing it user by user. Very helpful when making any sort of mass change.
You can multiselect users via search or browsing and then change the must change password property for all select users at once, instead of doing it user by user. Very helpful when making any sort of mass change.