We help IT Professionals succeed at work.

fine grained password policy not working

Medium Priority
3,825 Views
Last Modified: 2012-10-01
My fine grain password policy is not working. I went through the step by step guide here:  fine grain password setup. I then researched and went through the following steps to figure out why it isn't working.

1. dsget user <User-DN> -effectivepso
    a. This didn't do anything except for give me dsget succeeded reply

2. Checked Domain function level by going to Ldp.exe and connecting to my Domain Controller
    a. It says 3= (WIN2008) next to domainControllerFunctionality

3. Tried adding user to Active Directory group and then add the group to the fine grain password policy in ADSI but this also didn't do anything.

4. I have checked the msDS-PSOAppliesTo
    a. This is set correctly. It has my user and group there

5. I have changed the msDS-PasswordSettingPrecedence to 1
    a. This didn't make a difference

My domain controller is a Windows 2008 64bit machine. After all this I am still having problems with my test user. This user still is under the default password policy and not my new one.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2012

Commented:
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hi.

If set this up in some domains (real ones, test ones) and never had any difficulty.
Please read http://technet.microsoft.com/en-us/library/cc770848(v=ws.10)  which gives you two insights:
1) If the PSO name is not returned by the dsget command, the Default Domain Policy is applied to the specified user account.
2) There is another place to look if applied: seek the user-object-attribute "msDS-ResultantPSO" - if the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.

Author

Commented:
I have already looked at all those articles and it didn't help me. I didn't get any results from dsget command so i know that its getting the default password policy but how do I fix it?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Just one DC? Or could it be a replication problem?
Maybe give a GUI tool a try? (I know, it does the same, yes): http://www.specopssoft.com/products/specops-password-policy/specops-password-policy-basic-download_1

Author

Commented:
No we have two DC (PDC, BDC).
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
So please check if the settings replicated.

Author

Commented:
yes the PSO did replicate to my BDC
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ok, have a go with the GUI tool, it's free and easy.

Author

Commented:
I downloaded and installed the program. It says that Specops Password Policy Basic is not support in the domain. Specops Password Policy can only run in Windows 2008 domains.  I am running a windows 2008 domain.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
That should be the problem: your domain is not at the 2008 functional level although you think it is. Or is it the forest functional level that's still 2003? Find out.

Author

Commented:
How do I look at that?

I thought it was in the lpd.exe and then connect to my domain controller

if i do that it says the following:

domainControllerFunctionality: 3 = (WIN 2008)
forestfunctionality: 0 = (WIN 2000)

Is the forest functionality hurting me? Can i change that quick and easy? How do i change it? Will it affect anything on my domain?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
> Is the forest functionality hurting me? - yes.
See http://support.microsoft.com/kb/322692
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Are you still fearing the forest level upgrade?

Author

Commented:
Yes I am. Will there be down time when I am raising the forest level? Is it quick to make the change or does it take hours? What happens when users are logged into the domain as i am changing it?
CERTIFIED EXPERT
Top Expert 2012
Commented:
You can change the forest level at anytime. No downtime. Takes minutes to do. Does not matter what the users are doing

http://technet.microsoft.com/en-us/library/cc730985.aspx

Author

Commented:
Thank you. I need to wait till tomorrow to do this because i do have one DC that is running Server 2003. I am removing this server tomorrow so i will then change the functionality level. I will let you know if this works.

Thanks again for you help!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Nothing for me? Thanks.