Re: Password complexity CANT be disabled
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/25/04
- Next message: Steven L Umbach: "Re: Urgent problem"
- Previous message: Steven L Umbach: "Re: Domain Administrator Locked Out - Please Help!!!"
- In reply to: Will Smith: "Password complexity CANT be disabled"
- Next in thread: Will Smith: "Re: Password complexity CANT be disabled"
- Reply: Will Smith: "Re: Password complexity CANT be disabled"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 25 Nov 2004 17:17:33 GMT
First make sure that block inheritance is NOT enabled on the domain
controllers container as that will prevent new password policy at the domain
level from being implemented. Then set it to disabled in Domain Security
Policy. Note that if you have more than one GPO in the domain container that
the one at the top of the list will take priority and if you do have more
than one I would set them ALL to disabled for password complexity. Make sure
that the default domain GPO is linked to the domain container. It also may
help to create a new GPO for the domain container, put it at the top of the
list and configure it for disabled for password complexity. Having said all
that, in my opinion it is not a bad thing to have it enabled, but that is
your call. I would also run first the support tool netdiag and then dcdiag
on your domain controllers looking for any pertinent problems, particularly
related to dns or secure channel. If you have an XP Pro computer on the
domain, install the Group Policy Management Console on it, logon as a domain
admin, and use it to try and track down what is going it as it will make the
job a WHOLE lot easier. --- Steve
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx - - GPMC
"Will Smith" <Will Smith@discussions.microsoft.com> wrote in message
news:8FA32B7E-2B76-4C0B-9352-D43561AC6147@microsoft.com...
>I have also posted this in the security section as I cant be sure where
>this
> problem is occuring!!
>
> I have a slightly quirky problem. I have a pure Windows 2000 Domain with 2
> domain controllers running Active Directory. Neither of the servers show
> any
> problems with AD replication, Group policy replication, Browser, DNS,
> Netlogon, Sysvol etc etc.. Nothing in any of the event logs apart from the
> standard "Ignore this issue its not a problem" type errors e.g event 10006
> DCOM got error "Class not registered " from the computer XXXX when
> attempting
> to activate the server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event
> 36871
> A fatal error occurred while creating an SSL server credential.
>
> DNS is happy; NTFRS is happy etc etc.... Basically no problems show up.
>
> The problem I have occurring is that all of a sudden the servers are
> requiring complex passwords e.g. if you change a password or create a new
> user account etc.
>
> I have used GPOTOOL to check that group policy replication is happy, which
> it is. I have looked at the default domain policy as well as the default
> domain controller policy and re-tried enabling and disabling all bits of
> the
> Password Policy section, in all variations (plus used secedit to apply the
> settings). The Domain policy is blocked from inheriting the default domain
> policy as it should be.
>
> However, if you look at the local security policy > password policy on
> either domain controller, it is always listed as NOT DEFINED.
>
> I have also attempted setting the local security policy, and that still
> has
> no effect.
>
> Basically, all sections of the group policy will make a change to the
> local
> security policy, BUT, it is not possible to set any of the settings in the
> Password Policy section. This applies to any changes you make in the Group
> Policy(s) at any level and also to the local security policy. FYI... there
> are only the 2 policies on the server! If you change any other section of
> a
> policy (domain, local, domain cont), it will replicate between the servers
> and it will apply that section of the policy to any area except the
> Password
> Policy, which wont change!
>
> I have re-applied the service pack, as a safety measure and this is on a
> live domain that has been working fine for 2 years now.... so how the
> change
> has come about, I am uncertain!
>
> This problem has only come to light as I had to create a new user, which I
> couldn't do without a complex password being set. However as I cannot find
> out what is really going on with the password policy, I cant tell how long
> it
> will now be before 300+ users are going to be asked to change their
> password,
> and you can imagine the chaos that will happen :-(
>
> As I have now spent 15 hours trying to resolve this, with all possible
> scenarios of applying a password policy (either disabling, enabling, not
> defining...Domain policy, Domain Controller policy, Local Security policy
> etc.etc..) has anyone any thoughts on this as I am completely baffled as
> to
> where to look next and unfortunately, my customer isn't going to accept
> that
> "I thought their network needed its security beefing up, so I turned on
> password complexity (sadly, as that would be a great easy option).
>
> Another possibility would be if anyone knows exactly where to flick the
> switch to disable this... Is it in that DLL file in system 32 that
> controls
> password complexity.... or an encrypted registry key...or as unlikely as
> it
> may be, Active directory through ADSI edit???
>
> Any thoughts and suggestions would be more than welcome on this one!!
>
> Thanks
>
> Will Smith
>
- Next message: Steven L Umbach: "Re: Urgent problem"
- Previous message: Steven L Umbach: "Re: Domain Administrator Locked Out - Please Help!!!"
- In reply to: Will Smith: "Password complexity CANT be disabled"
- Next in thread: Will Smith: "Re: Password complexity CANT be disabled"
- Reply: Will Smith: "Re: Password complexity CANT be disabled"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
