Solved

Password reset policy GPO

Posted on 2014-01-07
25
597 Views
Last Modified: 2014-01-08
I instituted changes to our password policy for our company.  Up until today, we had no.  People were not required to change passwords or have any type of restrictions.  I instituted a simple password policy which requires people to change their password every 90 days and cannot use the last password when changing.

This is has been a nightmare.  I created a separate GPO and enforce it over night.  I did a gpupdate /force when completed.  I purposely did not put a lockout option into my policy because I did not want to have to unlock accounts whenever someone forgot their new password.  

This is the issue.  Not happening to all, but some and enough to make it nerve wracking.  People change their passwords, because the next day when people came in, their current password had expired and they were forced to change.  That worked fine, but there were some that were able to login fine with their old password - did not get the expired message, but then Outlook would not let them on.  What I was forced to do was have them shut down, manually reset their password through AD and then they would log back in under the new password.

Another issue is that if they continue to put in the wrong password, it is locking the account and I have to go into AD and unlock the account.  I looked through every policy and that is not defined.

We have to keep this policy.  How can I make this smoother?  What did I miss?
0
Comment
Question by:Salonge
  • 12
  • 5
  • 4
  • +2
25 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 125 total points
Comment Utility
Did you link the password policy at the domain level.  Run an RSoP for one of the users and see what password policy is applying to them, if possible can you take a screenshot of those settings in the report and post them?

Thanks

Mike
0
 

Author Comment

by:Salonge
Comment Utility
Thank you.  How do I run an RSoP and also the domain policy for passwords is not defined.
0
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 125 total points
Comment Utility
You said you did not already have a previous policy? Yes you did. It's called "Default Domain Policy" and is created by default when you create an AD Domain.

That policy holds the default settings for password policies.

If you tried to create a new GPO and set those settings there, it will be in conflict with the ones in the Default Domain Policy... which is the only place they should exist.

Please make your changes in that GPO, and remove them from the new one.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
In GPMC go to Group Policy results and right click and start the wizard, screenshot below

RSOP
The password policy for the domain has to be linked at the domain level.  

Thanks

Mike
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 125 total points
Comment Utility
Did you modify Default Domain policy with those password settings or you created new GPO ? Windows supports only one GPO password policy which is set up by default at domain level. When you have your own GPO then you have to apply it at domain level and all password policy settings must be cleared in Default Domain policy.

To have more granular password policies, you need to have Windows Server 2008 Domain Functional Level and then you can use Fine-Grained Password Policies.

For more details, please check articles on my blog for that at

Domain Password policy details
http://kpytko.pl/2012/05/16/domain-password-policy/

Fine-Grained Password Policies
http://kpytko.pl/2012/11/09/fine-grained-password-policy-in-windows-server-20082008r2/

and if you wish to see settings applied to user including password setting, run in command-line
gpresult /z >c:\gpresult.log

Open in new window


and review it to see what settings for password are applied

Regards,
Krzysztof
0
 

Author Comment

by:Salonge
Comment Utility
Okay, in the Domain Policy the is not a password policy or rather there is not one defined.  What I did was to create a new GPO with the password policy I wanted.  Then once I created and right clicked on the policy and selected enforce.  

So was that not the correct way?  Defining this password policy in the Default Domain policy will affect the current users how?  Will it automatically make every change their password again?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You can define the PW policy in a different policy but it has to be linked at the domain level.

What did the RSoP report say?

Thanks

Mike
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
No, if Default Domain policy has no password settings defined, you are able to use your own GPO but it must be applied at domain level.

If you set up the same settings within Default Domain policy and remove your custom GPO, nothing wrond should happen becuse pwdLastSet attribute is evaluated before password change is enforced. This will only happen for those users who did not change previously their password.

Krzysztof
0
 

Author Comment

by:Salonge
Comment Utility
How do I apply it at domain level?
0
 

Author Comment

by:Salonge
Comment Utility
Using my newly created GPO? Or do I just change the settings in the domain policy itself?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
In Group Policy Management console, click right mouse button on your domain name and select "Link an existing GPO" from the list choose your GPO with password settings and that's all

Krzysztof
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You can do either, if you want to use the one you have right click at the domain level and link existing GPO.

As with any GPO....the normal warning please test in a lab first if you can.

Thanks

Mike
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Salonge
Comment Utility
I went through the process and it says it is already linked and enforced.  The Default Domain says not enforced.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
So, that's all. Just run RSop as Mike said or run gpresult as I said and check what settings are applied

Krzysztof
0
 

Author Comment

by:Salonge
Comment Utility
I ran the RSoP on an account and the new Password Policy was there except that there were red X's on the policy criteria.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Reboot computer on which you are testing that and log on once again using the same user account. Run RSoP once again and verify if those errors are still reported

Are you sure that Default Domain policy does not have password settings defined?

Krzysztof
0
 

Author Comment

by:Salonge
Comment Utility
I am running this from Active Directory on my Exchange Server so it is not really feasible to restart it at this time.  i just choose a user at random to run the RSoP.  I am logged into the server as the Domain Admin.
0
 

Author Comment

by:Salonge
Comment Utility
I ran this from my computer and my user account is using the policy that I created.
0
 

Author Comment

by:Salonge
Comment Utility
So the GPO is the newly created password policy; it is linked with the Domain and it is not working correctly.  The part that concerns me is the lock out policy which doesn't exist neither in this policy or the domain policy
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Question I did not see asked:

Do you know if you have background refresh enable (by default it is)?
If not then the policy will not apply until the computer is rebooted or a manual gpupdate /target:computer  is run. This might be why some machine got the settings and others did not.

Setting: Computer Configuration\Administrative Templates\System\Group Policy


Also can you post your settings:

Please take note before posting any sensitive information.  I like to blackout my domain or username names
0
 

Author Comment

by:Salonge
Comment Utility
There is nothing configured under this option in Group Policy.  So after looking at this, I should enable turn off background refresh of Group Policy?  I want the computer to refresh but not while someone is logged in.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
You do not want to enable this.
I wanted to make sure that this was not enable, but I still think the machines need to restart to this setting to apply.

That is why I am thinking that you saw some machines work and some that did not.
0
 

Author Comment

by:Salonge
Comment Utility
Okay.  So I need to leave this alone and once people restart their computers they should be fine?  Is there a default built-in lockout policy that I can't see?
0
 
LVL 21

Accepted Solution

by:
yo_bee earned 125 total points
Comment Utility
As others mentioned the Default Domain Policy most likely has Password Policy setup as the default.

Default Domain Policy
Not that the order that the GPO apply makes a differences as well.

Last to apply overwrites any previous settings.

Over of applying:

Local Setting
Forest
Domain
OU
sub-OU  (If there is a sub)

They also apply in the order from top to bottom per node level, but enforce supersedes others no matter what.

Example
Your Password Policy then Default Domain Policy.
If you had a certain setting in the Password Policy then the Default Domain Policy also has a setting for the same thing the Default Domain Policy wins because it was the last to apply.

If you had the Default Domain Policy linked to the Domain and had your Password Policy linked to the OU with computers (Firm Computers) then the Password Policy wins.

Note that this is a Computer base policy so if you link it to an OU that only users are in then it will not have any affect on the computers.

Does that help at all
0
 

Author Comment

by:Salonge
Comment Utility
I think so.  My Default Domain policy is not enforced, but my newly created Password policy is what everyone is using; based on the RSoP information and that seems to work once people restart their computers.

I was really concerned because people had to restart their computers (but you explained that - thanks so much); and people were getting account locked messages - which is not set anywhere in any policy on this network.

But I think I am good and can honestly distribute points among all who helped.  Thanks a bunch.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now