Re: Password complexity policy not being enforced

From: Hank Arnold (rasilon_at_aol.com)
Date: 09/29/04

• Next message: Kevin Sullivan: "Re: WMI and GPO"
• Previous message: billj: "GPMC: Display names for some settings cannot be found. You might b"
• In reply to: Cary Shultz [A.D. MVP]: "Re: Password complexity policy not being enforced"
• Next in thread: Hank Arnold: "Re: Password complexity policy not being enforced"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 29 Sep 2004 12:07:18 -0400

I've run
- DCDiag
==========
Only error it shows is about the SYSVOL being shared. I checked the MS site
and they asaid if it is shared this is an error that can be ignored

Netdiag
=======
Everything passed or was skipped. Only message was w.r.t IPSec policy. It
passed. It shows as active with no policy assigned

GPOTOOOL
==========
Found both DC's. Found 4 policies. All OK

GPRESULT
=========
I couldn't see anything that stood out....

I can post the results, but it could get lengthy....

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:%23tP%23YQjpEHA.556@tk2msftngp13.phx.gbl...
> Hank,
>
> Good that Steve chimed in. I think that I overlooked this. dcdiag /c /v
> would be a good thing to run. You might want to redirect that to a .txt
> file so that you can search for errors. So, enter dcdiag /c /v
> >dcdiag.txt
> at the command prompt. GPOTOOL and GPRESULT would also be a good thing to
> check.
>
> Cary
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:qkD5d.56144$wV.231@attbi_s54...
>> Just to add to Cary's fine advice, make sure that block inheritance is
>> not
>> enabled on the domain controller container. Additionally use the support
>> tool gpotool to see if Group Policy is being replicated and run dcdiag on
>> each domain controller to see if it reports a clean bill of health for
> each
>> dc. Dcdiag runs a number of tests that test such things as dns and
>> replication. Support tools are on the install cdrom in the support/tools
>> folder where you need to run setup there to install the set. --- Steve
>>
>>
>>
>>
>> "Hank Arnold" <rasilon@aol.com> wrote in message
>> news:2rnhm2F1bo748U1@uni-berlin.de...
>> > Any more ideas?? I'm stuck here and we are on the hook to enable
>> > expired
>> > passwords by the end of next month.
>> >
>> > --
>> > Regards,
>> > Hank Arnold
>> >
>> > "Hank Arnold" <rasilon@aol.com> wrote in message
>> > news:2rfpa6F19p4qgU1@uni-berlin.de...
>> >> Nothing I can see.... The only problem see is occasionally I would
>> >> create an AD account on DC1 and if I tried to log on right away, I
> would
>> >> sometimes get an "account is disabled" message. Checking on DC2, it
> would
>> >> show as "disabled". If I waited long enough (5 minutes +), it would
>> >> always log on. I haven't seen any problems with users or computers
>> >> replicating in a reasonable amount of time. No one is having logon
>> >> problems that I'm aware of.
>> >>
>> >> Here is the output from each DC. It doesn't match either one..... The
>> >> Domain Security or the AD drill down!!! Minimum password age (in
>> >> both)
>> >> is 7 days. Lockout threshold is 5 attempts......
>> >>
>> >> I'll post more when I get to work...
>> >>
>> >> DC2
>> >> ===
>> >> Force user logoff how long after time expires?: Never
>> >> Minimum password age (days): 0
>> >> Maximum password age (days): 42
>> >> Minimum password length: 0
>> >> Length of password history maintained: 1
>> >> Lockout threshold: Never
>> >> Lockout duration (minutes): 30
>> >> Lockout observation window (minutes): 30
>> >> Computer role: BACKUP
>> >>
>> >> DC1:
>> >> ====
>> >> Force user logoff how long after time expires?: Never
>> >> Minimum password age (days): 0
>> >> Maximum password age (days): 42
>> >> Minimum password length: 0
>> >> Length of password history maintained: 1
>> >> Lockout threshold: Never
>> >> Lockout duration (minutes): 30
>> >> Lockout observation window (minutes): 30
>> >> Computer role: PRIMARY
>> >> The command completed successfully.
>> >>
>> >>
>> >> I'll try what you suggested as soon as I get to work and we'll go from
>> >> there..... Thanks...............
>> >>
>> >> --
>> >> Regards,
>> >> Hank Arnold
>> >>
>> >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> >> news:%23fLtgRPoEHA.3896@TK2MSFTNGP15.phx.gbl...
>> >>> Mssr. Hank,
>> >>>
>> >>> Is there any problem with Active Directory Replication? If you
>> >>> create
> a
>> >>> test user account object on one DC ( do not mail-enable it ) do you
> see
>> >>> that
>> >>> user on the second DC ( after the appropriate amount of time has
> passed
>> >>> for
>> >>> AD Replication )? This would give you a good indication of AD
>> >>> Replication
>> >>> problems. If you do not see the test user account object on the
> second
>> >>> DC
>> >>> after enough time has passed then please take a look at the following
>> >>> MSKB
>> >>> article:
>> >>>
>> >>> http://support.microsoft.com/?id=249256
>> >>>
>> >>> And, 'undefined' does not mean the same thing as 'disabled' ( or
>> >>> 'enabled'
>> >>> for that matter ). What happens if you open up a command prompt and
>> >>> enter
>> >>> net accounts? Do you get the same information on DC01 as on DC02?
> And
>> >>> what
>> >>> information is it? The one from the Domain Security Policy?
>> >>>
>> >>> C'mon, Hank! Let's fix this. I am tired of password policy problems
>> >>> ;-)
>> >>>
>> >>> Cary
>> >>>
>> >>>
>> >>> "Hank Arnold" <rasilon@aol.com> wrote in message
>> >>> news:%23xvazHOoEHA.3564@tk2msftngp13.phx.gbl...
>> >>>> This is just too wierd!!
>> >>>>
>> >>>> I got there using your method (Start | Programs | Administrative
>> >>>> Tools). I
>> >>>> get the expected items, but they are "undefined". If I go there
>> >>>> using
>> >>>> the
>> >>>> method I used before (from the AD Users and Computers console), I
>> >>>> see
>> >>>> the
>> >>>> settings I changed them to!! Why am I seeing different Security
>> >>>> Settings??
>> >>>>
>> >>>> To make things worse, If I go to my second DC using the Domain
> Security
>> >>>> Policy. I get the settings I see when I go through the AD Users and
>> >>>> Computers console!!
>> >>>>
>> >>>> User can still specify "un-complex" passwords and account is not
> locked
>> >>> out.
>> >>>>
>> >>>> Help! What is going on???
>> >>>>
>> >>>> Hank
>> >>>>
>> >>>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> >>>> news:%23EAGtcNoEHA.536@TK2MSFTNGP11.phx.gbl...
>> >>>> > Well, I am actually referring to the Domain Security Policy. If
> you
>> >>>> > go
>> >>> to
>> >>>> > you will see that there are many
>> >>>> > things. One of which is the Domain Security Policy. I like to
>> >>>> > use
>> >>>> > that
>> >>>> > one. You are correct, though, in that it is effectively the
> Security
>> >>>> > settings...
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

• Next message: Kevin Sullivan: "Re: WMI and GPO"
• Previous message: billj: "GPMC: Display names for some settings cannot be found. You might b"
• In reply to: Cary Shultz [A.D. MVP]: "Re: Password complexity policy not being enforced"
• Next in thread: Hank Arnold: "Re: Password complexity policy not being enforced"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint