Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Default domain password policy different than local security policy

Posted on 2016-08-11
6
Medium Priority
?
69 Views
Last Modified: 2016-08-17
We are trying to implement a new password policy on our domain. If I go into the default domain policy, it will show that there is nothing defined except for a 4 character password minimum. If I run secpol.msc, it shows a different set of password requirements. It shows a 42 day password expiration, a 1 day password minimum age, and 24 passwords remembered on enforce password history. RSOP on workstations also shows that the only password policy defined is the 4 character minimum.

We have a 2003 domain controller and 3 2012 domain controllers. Domain functional level is Windows Server 2003.

EDIT: I have also looked through every group policy that we have and the only one with anything defined for a password policy is the default domain policy.
0
Comment
Question by:davebird
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752257
The domain password policy overrides the local policy. And additionally, this policy just work linked at the domain level, as far as you are using the Default Domain Policy, and we assume that it is in its default place it should work normally.

If RSOP gives the desired setting it means that it is ok.
0
 

Author Comment

by:davebird
ID: 41752265
The default domain policy is in the correct location and applying. If I run RSOP it shows the password policy that is set in the domain policy. If I run secpol.msc it shows a different set of policy.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752294
Hello.

It is just that with secpol.msc you can administer your local policies.

At the end, your resulting polices are going to be a merge between your local policies and your domain policies. However, any setting applied at the domain level is going to override your local polices.

If you open secpol.msc (as administrator) you can review and modify your local polices. However, you can just modify the polices that are not set at the domain level.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41752486
You have to understand how policies are enforced policies are applied to Local machines, Sites, Domains and Organizational Units in this order.  What you have to run is RSOP  (resultant set of policy)
Secpol.msc defines the local policy
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41753741
So in the end I changed password maximum age, password minimum age, and number of remembered passwords from undefined to our new requirements and I could see it take effect in RSOP and in secpol.msc. I am not sure why there was a minimum and maximum password age being applied when it was undefined in group policy, but everything is working as it should now.
0
 

Author Closing Comment

by:davebird
ID: 41759077
After changing the group policy settings from "undefined," I was able to implement the new password policy. Still no solution on why workstations were getting a policy other than "undefined" before I implemented the policy.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question