Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Default domain password policy different than local security policy

Posted on 2016-08-11
6
40 Views
Last Modified: 2016-08-17
We are trying to implement a new password policy on our domain. If I go into the default domain policy, it will show that there is nothing defined except for a 4 character password minimum. If I run secpol.msc, it shows a different set of password requirements. It shows a 42 day password expiration, a 1 day password minimum age, and 24 passwords remembered on enforce password history. RSOP on workstations also shows that the only password policy defined is the 4 character minimum.

We have a 2003 domain controller and 3 2012 domain controllers. Domain functional level is Windows Server 2003.

EDIT: I have also looked through every group policy that we have and the only one with anything defined for a password policy is the default domain policy.
0
Comment
Question by:davebird
  • 3
  • 2
6 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752257
The domain password policy overrides the local policy. And additionally, this policy just work linked at the domain level, as far as you are using the Default Domain Policy, and we assume that it is in its default place it should work normally.

If RSOP gives the desired setting it means that it is ok.
0
 

Author Comment

by:davebird
ID: 41752265
The default domain policy is in the correct location and applying. If I run RSOP it shows the password policy that is set in the domain policy. If I run secpol.msc it shows a different set of policy.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752294
Hello.

It is just that with secpol.msc you can administer your local policies.

At the end, your resulting polices are going to be a merge between your local policies and your domain policies. However, any setting applied at the domain level is going to override your local polices.

If you open secpol.msc (as administrator) you can review and modify your local polices. However, you can just modify the polices that are not set at the domain level.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41752486
You have to understand how policies are enforced policies are applied to Local machines, Sites, Domains and Organizational Units in this order.  What you have to run is RSOP  (resultant set of policy)
Secpol.msc defines the local policy
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41753741
So in the end I changed password maximum age, password minimum age, and number of remembered passwords from undefined to our new requirements and I could see it take effect in RSOP and in secpol.msc. I am not sure why there was a minimum and maximum password age being applied when it was undefined in group policy, but everything is working as it should now.
0
 

Author Closing Comment

by:davebird
ID: 41759077
After changing the group policy settings from "undefined," I was able to implement the new password policy. Still no solution on why workstations were getting a policy other than "undefined" before I implemented the policy.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question