Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 100
  • Last Modified:

Default domain password policy different than local security policy

We are trying to implement a new password policy on our domain. If I go into the default domain policy, it will show that there is nothing defined except for a 4 character password minimum. If I run secpol.msc, it shows a different set of password requirements. It shows a 42 day password expiration, a 1 day password minimum age, and 24 passwords remembered on enforce password history. RSOP on workstations also shows that the only password policy defined is the 4 character minimum.

We have a 2003 domain controller and 3 2012 domain controllers. Domain functional level is Windows Server 2003.

EDIT: I have also looked through every group policy that we have and the only one with anything defined for a password policy is the default domain policy.
0
David Bird
Asked:
David Bird
  • 3
  • 2
1 Solution
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
The domain password policy overrides the local policy. And additionally, this policy just work linked at the domain level, as far as you are using the Default Domain Policy, and we assume that it is in its default place it should work normally.

If RSOP gives the desired setting it means that it is ok.
0
 
David BirdPartnerAuthor Commented:
The default domain policy is in the correct location and applying. If I run RSOP it shows the password policy that is set in the domain policy. If I run secpol.msc it shows a different set of policy.
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
Hello.

It is just that with secpol.msc you can administer your local policies.

At the end, your resulting polices are going to be a merge between your local policies and your domain policies. However, any setting applied at the domain level is going to override your local polices.

If you open secpol.msc (as administrator) you can review and modify your local polices. However, you can just modify the polices that are not set at the domain level.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
David Johnson, CD, MVPOwnerCommented:
You have to understand how policies are enforced policies are applied to Local machines, Sites, Domains and Organizational Units in this order.  What you have to run is RSOP  (resultant set of policy)
Secpol.msc defines the local policy
0
 
David BirdPartnerAuthor Commented:
So in the end I changed password maximum age, password minimum age, and number of remembered passwords from undefined to our new requirements and I could see it take effect in RSOP and in secpol.msc. I am not sure why there was a minimum and maximum password age being applied when it was undefined in group policy, but everything is working as it should now.
0
 
David BirdPartnerAuthor Commented:
After changing the group policy settings from "undefined," I was able to implement the new password policy. Still no solution on why workstations were getting a policy other than "undefined" before I implemented the policy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now