Solved

Default domain password policy different than local security policy

Posted on 2016-08-11
6
28 Views
Last Modified: 2016-08-17
We are trying to implement a new password policy on our domain. If I go into the default domain policy, it will show that there is nothing defined except for a 4 character password minimum. If I run secpol.msc, it shows a different set of password requirements. It shows a 42 day password expiration, a 1 day password minimum age, and 24 passwords remembered on enforce password history. RSOP on workstations also shows that the only password policy defined is the 4 character minimum.

We have a 2003 domain controller and 3 2012 domain controllers. Domain functional level is Windows Server 2003.

EDIT: I have also looked through every group policy that we have and the only one with anything defined for a password policy is the default domain policy.
0
Comment
Question by:davebird
  • 3
  • 2
6 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752257
The domain password policy overrides the local policy. And additionally, this policy just work linked at the domain level, as far as you are using the Default Domain Policy, and we assume that it is in its default place it should work normally.

If RSOP gives the desired setting it means that it is ok.
0
 

Author Comment

by:davebird
ID: 41752265
The default domain policy is in the correct location and applying. If I run RSOP it shows the password policy that is set in the domain policy. If I run secpol.msc it shows a different set of policy.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752294
Hello.

It is just that with secpol.msc you can administer your local policies.

At the end, your resulting polices are going to be a merge between your local policies and your domain policies. However, any setting applied at the domain level is going to override your local polices.

If you open secpol.msc (as administrator) you can review and modify your local polices. However, you can just modify the polices that are not set at the domain level.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41752486
You have to understand how policies are enforced policies are applied to Local machines, Sites, Domains and Organizational Units in this order.  What you have to run is RSOP  (resultant set of policy)
Secpol.msc defines the local policy
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 41753741
So in the end I changed password maximum age, password minimum age, and number of remembered passwords from undefined to our new requirements and I could see it take effect in RSOP and in secpol.msc. I am not sure why there was a minimum and maximum password age being applied when it was undefined in group policy, but everything is working as it should now.
0
 

Author Closing Comment

by:davebird
ID: 41759077
After changing the group policy settings from "undefined," I was able to implement the new password policy. Still no solution on why workstations were getting a policy other than "undefined" before I implemented the policy.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question