• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2482
  • Last Modified:

fine grained password policy not working

My fine grain password policy is not working. I went through the step by step guide here:  fine grain password setup. I then researched and went through the following steps to figure out why it isn't working.

1. dsget user <User-DN> -effectivepso
    a. This didn't do anything except for give me dsget succeeded reply

2. Checked Domain function level by going to Ldp.exe and connecting to my Domain Controller
    a. It says 3= (WIN2008) next to domainControllerFunctionality

3. Tried adding user to Active Directory group and then add the group to the fine grain password policy in ADSI but this also didn't do anything.

4. I have checked the msDS-PSOAppliesTo
    a. This is set correctly. It has my user and group there

5. I have changed the msDS-PasswordSettingPrecedence to 1
    a. This didn't make a difference

My domain controller is a Windows 2008 64bit machine. After all this I am still having problems with my test user. This user still is under the default password policy and not my new one.
0
Juneaucounty
Asked:
Juneaucounty
  • 8
  • 7
  • 2
1 Solution
 
Darius GhassemCommented:
0
 
McKnifeCommented:
Hi.

If set this up in some domains (real ones, test ones) and never had any difficulty.
Please read http://technet.microsoft.com/en-us/library/cc770848(v=ws.10)  which gives you two insights:
1) If the PSO name is not returned by the dsget command, the Default Domain Policy is applied to the specified user account.
2) There is another place to look if applied: seek the user-object-attribute "msDS-ResultantPSO" - if the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.
0
 
JuneaucountyAuthor Commented:
I have already looked at all those articles and it didn't help me. I didn't get any results from dsget command so i know that its getting the default password policy but how do I fix it?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
McKnifeCommented:
Just one DC? Or could it be a replication problem?
Maybe give a GUI tool a try? (I know, it does the same, yes): http://www.specopssoft.com/products/specops-password-policy/specops-password-policy-basic-download_1
0
 
JuneaucountyAuthor Commented:
No we have two DC (PDC, BDC).
0
 
McKnifeCommented:
So please check if the settings replicated.
0
 
JuneaucountyAuthor Commented:
yes the PSO did replicate to my BDC
0
 
McKnifeCommented:
Ok, have a go with the GUI tool, it's free and easy.
0
 
JuneaucountyAuthor Commented:
I downloaded and installed the program. It says that Specops Password Policy Basic is not support in the domain. Specops Password Policy can only run in Windows 2008 domains.  I am running a windows 2008 domain.
0
 
McKnifeCommented:
That should be the problem: your domain is not at the 2008 functional level although you think it is. Or is it the forest functional level that's still 2003? Find out.
1
 
JuneaucountyAuthor Commented:
How do I look at that?

I thought it was in the lpd.exe and then connect to my domain controller

if i do that it says the following:

domainControllerFunctionality: 3 = (WIN 2008)
forestfunctionality: 0 = (WIN 2000)

Is the forest functionality hurting me? Can i change that quick and easy? How do i change it? Will it affect anything on my domain?
0
 
McKnifeCommented:
> Is the forest functionality hurting me? - yes.
See http://support.microsoft.com/kb/322692
0
 
McKnifeCommented:
Are you still fearing the forest level upgrade?
0
 
JuneaucountyAuthor Commented:
Yes I am. Will there be down time when I am raising the forest level? Is it quick to make the change or does it take hours? What happens when users are logged into the domain as i am changing it?
0
 
Darius GhassemCommented:
You can change the forest level at anytime. No downtime. Takes minutes to do. Does not matter what the users are doing

http://technet.microsoft.com/en-us/library/cc730985.aspx
0
 
JuneaucountyAuthor Commented:
Thank you. I need to wait till tomorrow to do this because i do have one DC that is running Server 2003. I am removing this server tomorrow so i will then change the functionality level. I will let you know if this works.

Thanks again for you help!
0
 
McKnifeCommented:
Nothing for me? Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now