We help IT Professionals succeed at work.

Minimum password length requirement not applied.

95 Views
Last Modified: 2018-10-25
Minimum password length requirement not applied.
In a 2003 domain level, with windows 7 and windows 10 clients.
I have adjusted the default domain policy, that is linked to the domain, not an OU.
The minimum requirement is 7 characters, but when I require the user to change password at login they can enter 1 digit.

The GPO is applied, and Group Policy results confirms the value is 7, but still we can change with just 1 digit.
I have verified with another costumer, running newer servers that the GPO is correct.
I have also checked the other applied GPO`s to make sure they do not interfere with the password policy.
Comment
Watch Question

Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
Run GPResults on the DC. What is the password policy for it?

Author

Commented:
I assume you want Gpresult /r? The default domain policy is applied for computer.

Author

Commented:
However, under GPMC, Group Policy Result, the DC does not show the password policy..
Asif BacchusI.T. Consultant

Commented:
Silly question, but are you sure you are applying this policy to both the users and computers?  I understand that you have linked it to the domain so it affects both users and computers, but in the actual policy, have you defined it in BOTH computer settings and user settings?  Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
I usually run
gpresult /h output.htm 

Open in new window

I find this easier to review the results.
So is there no password policy?
Are there any other policies linked to the domain object or to the Domain Controllers OU?

Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
You only define the password policy in the computer settings. It is the DCs that enforce it on the AD users.
Asif BacchusI.T. Consultant

Commented:
Sorry, reviewed my comment and deleted it since it was misleading... You're right, Jeremey, I was thinking of something else.

If the policy is showing up as not applied, I'm assuming you've already tried a gpupdate /target:computer /force on the the DC then checking the error logs and running another gpresult?  Also, if possible, have you tried a reboot of the DC and then a reboot of misbehaving clients?  Seems simple, but sometimes the simple stuff works when it comes to Group Policy.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The pw policy needs to be applied to the DCs, nowhere else. If you would like to limit eventually present local accounts additionally, you would apply the pw policy to all computer objects as well.

Author

Commented:
Hi, I have rebooted clients and DC`s, no change. I did find that both DC`s are under the OU Domain Controllers, and that the GPO, Default Domain Controller Policy also has a minimum password length of 5 characters.

After running gpresult /h output.htm on the DC, I do not see any security setting for password length.. The winning GPO is both Default domain and default domain controller on other computer settings.
Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
Are you able to share a screenshot? (sanitize as necessary)

Author

Commented:
1.pngHere is what I hope is the required information. There is no reference to Account Policy on the Gpresult.

Author

Commented:
Other policy changes, like Audot Account logon under Default Domain Controller Policy is taking hold, and changing.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As your screenshot shows: the DDP is not applied to your DC. It is a matter of seconds to find out, why. You wrote, you linked it to your Domain head (that is the default, by the way), not to a special OU. That would mean, it gets applied anywhere, unless you apply security filtering or wmi filtering to it. Verify that.

Author

Commented:
Hi McKnife, thanks for the tip, I have already checked, and the DDP and DDCP (thanks for the abreviation) are both linked to the Domain controller OU. I have changed the link order, so that DDP is on the top.

I found using secpol.msc now, that the values I set in the GPO are grayed out. But the value is wrong, ie. 0.
I removed the minimum password length from the DDP. And now I am able to change the value in secpol. But the value I set does not appear in gpresult,or have any effect.
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Great.

Be aware though, that selecting your own comment as solution would imply that experts haven't helped you getting there. The basic step being to recognize where the policy needs to be applied (no matter how), you see that experts did indeed make you realize that (at least I hope so) :-).