Solved

Default domain password policy different than local security policy

Posted on 2016-08-11
6
24 Views
Last Modified: 2016-08-17
We are trying to implement a new password policy on our domain. If I go into the default domain policy, it will show that there is nothing defined except for a 4 character password minimum. If I run secpol.msc, it shows a different set of password requirements. It shows a 42 day password expiration, a 1 day password minimum age, and 24 passwords remembered on enforce password history. RSOP on workstations also shows that the only password policy defined is the 4 character minimum.

We have a 2003 domain controller and 3 2012 domain controllers. Domain functional level is Windows Server 2003.

EDIT: I have also looked through every group policy that we have and the only one with anything defined for a password policy is the default domain policy.
0
Comment
Question by:davebird
  • 3
  • 2
6 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752257
The domain password policy overrides the local policy. And additionally, this policy just work linked at the domain level, as far as you are using the Default Domain Policy, and we assume that it is in its default place it should work normally.

If RSOP gives the desired setting it means that it is ok.
0
 

Author Comment

by:davebird
ID: 41752265
The default domain policy is in the correct location and applying. If I run RSOP it shows the password policy that is set in the domain policy. If I run secpol.msc it shows a different set of policy.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752294
Hello.

It is just that with secpol.msc you can administer your local policies.

At the end, your resulting polices are going to be a merge between your local policies and your domain policies. However, any setting applied at the domain level is going to override your local polices.

If you open secpol.msc (as administrator) you can review and modify your local polices. However, you can just modify the polices that are not set at the domain level.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41752486
You have to understand how policies are enforced policies are applied to Local machines, Sites, Domains and Organizational Units in this order.  What you have to run is RSOP  (resultant set of policy)
Secpol.msc defines the local policy
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41753741
So in the end I changed password maximum age, password minimum age, and number of remembered passwords from undefined to our new requirements and I could see it take effect in RSOP and in secpol.msc. I am not sure why there was a minimum and maximum password age being applied when it was undefined in group policy, but everything is working as it should now.
0
 

Author Closing Comment

by:davebird
ID: 41759077
After changing the group policy settings from "undefined," I was able to implement the new password policy. Still no solution on why workstations were getting a policy other than "undefined" before I implemented the policy.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now