Minimum password length requirement not applied.

Minimum password length requirement not applied.
In a 2003 domain level, with windows 7 and windows 10 clients.
I have adjusted the default domain policy, that is linked to the domain, not an OU.
The minimum requirement is 7 characters, but when I require the user to change password at login they can enter 1 digit.

The GPO is applied, and Group Policy results confirms the value is 7, but still we can change with just 1 digit.
I have verified with another costumer, running newer servers that the GPO is correct.
I have also checked the other applied GPO`s to make sure they do not interfere with the password policy.
Eirik GjerdalenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Run GPResults on the DC. What is the password policy for it?
Eirik GjerdalenAuthor Commented:
I assume you want Gpresult /r? The default domain policy is applied for computer.
Eirik GjerdalenAuthor Commented:
However, under GPMC, Group Policy Result, the DC does not show the password policy..
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Asif BacchusI.T. ConsultantCommented:
Silly question, but are you sure you are applying this policy to both the users and computers?  I understand that you have linked it to the domain so it affects both users and computers, but in the actual policy, have you defined it in BOTH computer settings and user settings?  Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I usually run
gpresult /h output.htm 

Open in new window

I find this easier to review the results.
So is there no password policy?
Are there any other policies linked to the domain object or to the Domain Controllers OU?

Applying to computers will affect only local machine accounts whereas applying it to users will affect their domain-linked accounts.
You only define the password policy in the computer settings. It is the DCs that enforce it on the AD users.
Asif BacchusI.T. ConsultantCommented:
Sorry, reviewed my comment and deleted it since it was misleading... You're right, Jeremey, I was thinking of something else.

If the policy is showing up as not applied, I'm assuming you've already tried a gpupdate /target:computer /force on the the DC then checking the error logs and running another gpresult?  Also, if possible, have you tried a reboot of the DC and then a reboot of misbehaving clients?  Seems simple, but sometimes the simple stuff works when it comes to Group Policy.
The pw policy needs to be applied to the DCs, nowhere else. If you would like to limit eventually present local accounts additionally, you would apply the pw policy to all computer objects as well.
Eirik GjerdalenAuthor Commented:
Hi, I have rebooted clients and DC`s, no change. I did find that both DC`s are under the OU Domain Controllers, and that the GPO, Default Domain Controller Policy also has a minimum password length of 5 characters.

After running gpresult /h output.htm on the DC, I do not see any security setting for password length.. The winning GPO is both Default domain and default domain controller on other computer settings.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Are you able to share a screenshot? (sanitize as necessary)
Eirik GjerdalenAuthor Commented:
1.pngHere is what I hope is the required information. There is no reference to Account Policy on the Gpresult.
Eirik GjerdalenAuthor Commented:
Other policy changes, like Audot Account logon under Default Domain Controller Policy is taking hold, and changing.
As your screenshot shows: the DDP is not applied to your DC. It is a matter of seconds to find out, why. You wrote, you linked it to your Domain head (that is the default, by the way), not to a special OU. That would mean, it gets applied anywhere, unless you apply security filtering or wmi filtering to it. Verify that.
Eirik GjerdalenAuthor Commented:
Hi McKnife, thanks for the tip, I have already checked, and the DDP and DDCP (thanks for the abreviation) are both linked to the Domain controller OU. I have changed the link order, so that DDP is on the top.

I found using secpol.msc now, that the values I set in the GPO are grayed out. But the value is wrong, ie. 0.
I removed the minimum password length from the DDP. And now I am able to change the value in secpol. But the value I set does not appear in gpresult,or have any effect.
Eirik GjerdalenAuthor Commented:
I did a test on the client,  it does now require the correct length. The value still does not show in gpresult..
In summary, I changed the value in DDP to not defined. And changed with secpol.msc on the domain controller.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Be aware though, that selecting your own comment as solution would imply that experts haven't helped you getting there. The basic step being to recognize where the policy needs to be applied (no matter how), you see that experts did indeed make you realize that (at least I hope so) :-).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.