Avatar of Eirik Gjerdalen
Eirik Gjerdalen
 asked on

Minimum password length requirement not applied.

Minimum password length requirement not applied.
In a 2003 domain level, with windows 7 and windows 10 clients.
I have adjusted the default domain policy, that is linked to the domain, not an OU.
The minimum requirement is 7 characters, but when I require the user to change password at login they can enter 1 digit.

The GPO is applied, and Group Policy results confirms the value is 7, but still we can change with just 1 digit.
I have verified with another costumer, running newer servers that the GPO is correct.
I have also checked the other applied GPO`s to make sure they do not interfere with the password policy.
Windows 10Windows OSWindows 7

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
Jeremy Weisinger

Run GPResults on the DC. What is the password policy for it?
Eirik Gjerdalen

ASKER
I assume you want Gpresult /r? The default domain policy is applied for computer.
Eirik Gjerdalen

ASKER
However, under GPMC, Group Policy Result, the DC does not show the password policy..
Your help has saved me hundreds of hours of internet surfing.
fblack61
Asif Bacchus

Silly question, but are you sure you are applying this policy to both the users and computers?  I understand that you have linked it to the domain so it affects both users and computers, but in the actual policy, have you defined it in BOTH computer settings and user settings?  Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
Jeremy Weisinger

I usually run
gpresult /h output.htm 

Open in new window

I find this easier to review the results.
So is there no password policy?
Are there any other policies linked to the domain object or to the Domain Controllers OU?

Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
You only define the password policy in the computer settings. It is the DCs that enforce it on the AD users.
Asif Bacchus

Sorry, reviewed my comment and deleted it since it was misleading... You're right, Jeremey, I was thinking of something else.

If the policy is showing up as not applied, I'm assuming you've already tried a gpupdate /target:computer /force on the the DC then checking the error logs and running another gpresult?  Also, if possible, have you tried a reboot of the DC and then a reboot of misbehaving clients?  Seems simple, but sometimes the simple stuff works when it comes to Group Policy.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

The pw policy needs to be applied to the DCs, nowhere else. If you would like to limit eventually present local accounts additionally, you would apply the pw policy to all computer objects as well.
Eirik Gjerdalen

ASKER
Hi, I have rebooted clients and DC`s, no change. I did find that both DC`s are under the OU Domain Controllers, and that the GPO, Default Domain Controller Policy also has a minimum password length of 5 characters.

After running gpresult /h output.htm on the DC, I do not see any security setting for password length.. The winning GPO is both Default domain and default domain controller on other computer settings.
Jeremy Weisinger

Are you able to share a screenshot? (sanitize as necessary)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Eirik Gjerdalen

ASKER
1.pngHere is what I hope is the required information. There is no reference to Account Policy on the Gpresult.
Eirik Gjerdalen

ASKER
Other policy changes, like Audot Account logon under Default Domain Controller Policy is taking hold, and changing.
McKnife

As your screenshot shows: the DDP is not applied to your DC. It is a matter of seconds to find out, why. You wrote, you linked it to your Domain head (that is the default, by the way), not to a special OU. That would mean, it gets applied anywhere, unless you apply security filtering or wmi filtering to it. Verify that.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Eirik Gjerdalen

ASKER
Hi McKnife, thanks for the tip, I have already checked, and the DDP and DDCP (thanks for the abreviation) are both linked to the Domain controller OU. I have changed the link order, so that DDP is on the top.

I found using secpol.msc now, that the values I set in the GPO are grayed out. But the value is wrong, ie. 0.
I removed the minimum password length from the DDP. And now I am able to change the value in secpol. But the value I set does not appear in gpresult,or have any effect.
ASKER CERTIFIED SOLUTION
Eirik Gjerdalen

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
McKnife

Great.

Be aware though, that selecting your own comment as solution would imply that experts haven't helped you getting there. The basic step being to recognize where the policy needs to be applied (no matter how), you see that experts did indeed make you realize that (at least I hope so) :-).