Password policy problem in AD

Dear Experts, I have one AD (server2012R2) and one Mail Exchange 2016 server. When I configured the complexity of password in AD and applied it with "gpupdate /force", the policy could not applied in Exchange mail users. They can still change the password with simple phrases. For example: no need special characters, or number,...

Can you please explain and suggest?

Many thanks!
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you should wait for few hours to replicate GP to end user systems, else you can ask one user to restart PC and then check if policy is working or not?
Derek SouterITO Svc Delivery Cons IIICommented:
Password policy is an AD change - and should be configured in the default domain policy.    HOWEVER, depending on the level of your active directory, you can get fine grained password policies - so you may find that there is more than one password policy in your AD - I suggest running a resultant set of policy for some of your users, and looking to see what policies are in place for them.    NB - because the password policy is for the Domain, waiting until it replicates to the end user systems is NOT relevant, as long as it has applied to ALL of your Domain Controllers.
DP230Network AdministratorAuthor Commented:
@Gaurav:  yes we waited for hours but the new passwords still can be set without special symbol.

@Derek: We have only 1 Domain controller, and my AD is in forest of domain name

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Derek SouterITO Svc Delivery Cons IIICommented:
the complexity requirements are that the passwords must contain 1 character from each of the various groups

from the explanation

Contain characters from three of the following four categories
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

so "Password1" is valid, as is "Password!"

simply enabling password complexity will not force users to use a special character in the password - only that their password contains 3 of the 4 categories

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The change for domain accounts does not apply to end users nor to their computers but only to the domain controller - the passwords are evaluated there. After doing gpupdate at the domain controller, see with rsop.msc or with gpresult if it applied and when it did, the domain password complexity will be enforced.
Derek SouterITO Svc Delivery Cons IIICommented:
have you confirmed the policies that are applying to the users - in case there is another password policy being applied?

I suggested running a resultant set of policy to confirm that.
DP230Network AdministratorAuthor Commented:
Hi, what is resultant set of policy? Can you clarify more?

I checked with gpresult /H and saw the configurations as desire, but we still can change to the easy-guess password (ex: Name12345, Abc11111,...)
Derek SouterITO Svc Delivery Cons IIICommented:
please read my explanation of the password complexity policy above - the passwords you have noted as being insecure meet the complexity requirements
DP230Network AdministratorAuthor Commented:
It was my bad when did not read it carefully.

Many thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.