Link to home
Start Free TrialLog in
Avatar of Eirik Gjerdalen
Eirik Gjerdalen

asked on

Minimum password length requirement not applied.

Minimum password length requirement not applied.
In a 2003 domain level, with windows 7 and windows 10 clients.
I have adjusted the default domain policy, that is linked to the domain, not an OU.
The minimum requirement is 7 characters, but when I require the user to change password at login they can enter 1 digit.

The GPO is applied, and Group Policy results confirms the value is 7, but still we can change with just 1 digit.
I have verified with another costumer, running newer servers that the GPO is correct.
I have also checked the other applied GPO`s to make sure they do not interfere with the password policy.
Avatar of Jeremy Weisinger
Jeremy Weisinger

Run GPResults on the DC. What is the password policy for it?
Avatar of Eirik Gjerdalen

ASKER

I assume you want Gpresult /r? The default domain policy is applied for computer.
However, under GPMC, Group Policy Result, the DC does not show the password policy..
Silly question, but are you sure you are applying this policy to both the users and computers?  I understand that you have linked it to the domain so it affects both users and computers, but in the actual policy, have you defined it in BOTH computer settings and user settings?  Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
I usually run
gpresult /h output.htm 

Open in new window

I find this easier to review the results.
So is there no password policy?
Are there any other policies linked to the domain object or to the Domain Controllers OU?

Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
You only define the password policy in the computer settings. It is the DCs that enforce it on the AD users.
Sorry, reviewed my comment and deleted it since it was misleading... You're right, Jeremey, I was thinking of something else.

If the policy is showing up as not applied, I'm assuming you've already tried a gpupdate /target:computer /force on the the DC then checking the error logs and running another gpresult?  Also, if possible, have you tried a reboot of the DC and then a reboot of misbehaving clients?  Seems simple, but sometimes the simple stuff works when it comes to Group Policy.
The pw policy needs to be applied to the DCs, nowhere else. If you would like to limit eventually present local accounts additionally, you would apply the pw policy to all computer objects as well.
Hi, I have rebooted clients and DC`s, no change. I did find that both DC`s are under the OU Domain Controllers, and that the GPO, Default Domain Controller Policy also has a minimum password length of 5 characters.

After running gpresult /h output.htm on the DC, I do not see any security setting for password length.. The winning GPO is both Default domain and default domain controller on other computer settings.
Are you able to share a screenshot? (sanitize as necessary)
User generated imageHere is what I hope is the required information. There is no reference to Account Policy on the Gpresult.
Other policy changes, like Audot Account logon under Default Domain Controller Policy is taking hold, and changing.
As your screenshot shows: the DDP is not applied to your DC. It is a matter of seconds to find out, why. You wrote, you linked it to your Domain head (that is the default, by the way), not to a special OU. That would mean, it gets applied anywhere, unless you apply security filtering or wmi filtering to it. Verify that.
Hi McKnife, thanks for the tip, I have already checked, and the DDP and DDCP (thanks for the abreviation) are both linked to the Domain controller OU. I have changed the link order, so that DDP is on the top.

I found using secpol.msc now, that the values I set in the GPO are grayed out. But the value is wrong, ie. 0.
I removed the minimum password length from the DDP. And now I am able to change the value in secpol. But the value I set does not appear in gpresult,or have any effect.
ASKER CERTIFIED SOLUTION
Avatar of Eirik Gjerdalen
Eirik Gjerdalen

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Great.

Be aware though, that selecting your own comment as solution would imply that experts haven't helped you getting there. The basic step being to recognize where the policy needs to be applied (no matter how), you see that experts did indeed make you realize that (at least I hope so) :-).