Minimum password length requirement not applied.

Eirik Gjerdalen
Eirik Gjerdalen used Ask the Experts™
on
Minimum password length requirement not applied.
In a 2003 domain level, with windows 7 and windows 10 clients.
I have adjusted the default domain policy, that is linked to the domain, not an OU.
The minimum requirement is 7 characters, but when I require the user to change password at login they can enter 1 digit.

The GPO is applied, and Group Policy results confirms the value is 7, but still we can change with just 1 digit.
I have verified with another costumer, running newer servers that the GPO is correct.
I have also checked the other applied GPO`s to make sure they do not interfere with the password policy.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Run GPResults on the DC. What is the password policy for it?

Author

Commented:
I assume you want Gpresult /r? The default domain policy is applied for computer.

Author

Commented:
However, under GPMC, Group Policy Result, the DC does not show the password policy..
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Asif BacchusI.T. Consultant

Commented:
Silly question, but are you sure you are applying this policy to both the users and computers?  I understand that you have linked it to the domain so it affects both users and computers, but in the actual policy, have you defined it in BOTH computer settings and user settings?  Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
I usually run
gpresult /h output.htm 

Open in new window

I find this easier to review the results.
So is there no password policy?
Are there any other policies linked to the domain object or to the Domain Controllers OU?

Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
You only define the password policy in the computer settings. It is the DCs that enforce it on the AD users.
Asif BacchusI.T. Consultant

Commented:
Sorry, reviewed my comment and deleted it since it was misleading... You're right, Jeremey, I was thinking of something else.

If the policy is showing up as not applied, I'm assuming you've already tried a gpupdate /target:computer /force on the the DC then checking the error logs and running another gpresult?  Also, if possible, have you tried a reboot of the DC and then a reboot of misbehaving clients?  Seems simple, but sometimes the simple stuff works when it comes to Group Policy.
Distinguished Expert 2018

Commented:
The pw policy needs to be applied to the DCs, nowhere else. If you would like to limit eventually present local accounts additionally, you would apply the pw policy to all computer objects as well.

Author

Commented:
Hi, I have rebooted clients and DC`s, no change. I did find that both DC`s are under the OU Domain Controllers, and that the GPO, Default Domain Controller Policy also has a minimum password length of 5 characters.

After running gpresult /h output.htm on the DC, I do not see any security setting for password length.. The winning GPO is both Default domain and default domain controller on other computer settings.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Are you able to share a screenshot? (sanitize as necessary)

Author

Commented:
1.pngHere is what I hope is the required information. There is no reference to Account Policy on the Gpresult.

Author

Commented:
Other policy changes, like Audot Account logon under Default Domain Controller Policy is taking hold, and changing.
Distinguished Expert 2018

Commented:
As your screenshot shows: the DDP is not applied to your DC. It is a matter of seconds to find out, why. You wrote, you linked it to your Domain head (that is the default, by the way), not to a special OU. That would mean, it gets applied anywhere, unless you apply security filtering or wmi filtering to it. Verify that.

Author

Commented:
Hi McKnife, thanks for the tip, I have already checked, and the DDP and DDCP (thanks for the abreviation) are both linked to the Domain controller OU. I have changed the link order, so that DDP is on the top.

I found using secpol.msc now, that the values I set in the GPO are grayed out. But the value is wrong, ie. 0.
I removed the minimum password length from the DDP. And now I am able to change the value in secpol. But the value I set does not appear in gpresult,or have any effect.
I did a test on the client,  it does now require the correct length. The value still does not show in gpresult..
In summary, I changed the value in DDP to not defined. And changed with secpol.msc on the domain controller.
Distinguished Expert 2018

Commented:
Great.

Be aware though, that selecting your own comment as solution would imply that experts haven't helped you getting there. The basic step being to recognize where the policy needs to be applied (no matter how), you see that experts did indeed make you realize that (at least I hope so) :-).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial