Re: Password reset not working

From: Andy Cadley (ac_at_uea.ac.uk)
Date: 05/27/04 

Date: Thu, 27 May 2004 12:31:03 +0100

I'm not quite sure what is is you're trying to acheive, but I'll try to
explain what you are seeing:

All users have the 7 character minimum password because this is a Computer
Setting that is applied to the domain controllers. Since the accounts are
all held on DC's, they are all subject to this setting. There is no way of
filtering this particular setting based on user.

At the moment your Administrator account is not being affected by the
Default Domain Policy (you can see this by drilling down to User
Configuration Summary -> Group Policy Objects -> Denied GPOs for the
Administrators RSOP data) wheras slaundria is, which I think is what you
want. This means that any per-user settings you make in there won't restrict
the admin account.

You might find it easier if you create an OU where you keep all your normal
accounts and create and link a new GPO there for restricting user settings.
Since you won't put the Administrator account in that OU there is no way
that it can be affected by any changes you make as it is not in the 'scope'
of the GPO

Hope that helps,

AndyC

"Daniel" <webmaster@nhscomputerclub.com> wrote in message
news:4cadd7d3.0405261646.3d435ef7@posting.google.com...
> Ok I figured out what I have to do. I added the authenticated users
> to the default domain poliy and that got the account policys working
> again. The only problem now is the Administrator (Me) is being
> affected by the default domain policy (Im not worried about the
> computer configuration but I am worried about the user configuration.)
> I need to find away to be able to have all the accounts have the 7
> character min. without affecting the administrator for the user
> configuration. Here is the RSoP of the two users one me and the
> otherone a user and then the two policys.
>
> http://www.nhscomputerclub.com/Administrator%20on%20SCHALLER1.htm
> http://www.nhscomputerclub.com/slaundria%20on%20SCHALLER1.htm
>
> http://www.nhscomputerclub.com/Default%20Domain%20Controllers%20Policy.htm
> http://www.nhscomputerclub.com/Default%20Domain%20Policy.htm
>
> NOTES:
> slaundria is in the schaller users group; the administrator is not
> Schaller1 is not in the schaller computers group; all the other win
> 2000 computers are.
>
> "Andy Cadley" <ac@uea.ac.uk> wrote in message
news:<eo6cAmzQEHA.3016@tk2msftngp13.phx.gbl>...
> > Your current security filtering only allows the policy to apply to
> > SCHALLER\Schaller Computers or SCHALLER\Schaller Users. Looking in the
RSOP
> > results, that computer SCHALLER\SCHALLER1 isn't in either of those
groups.
> >
> > So you either need to add the computer to one of those groups
(presuambly
> > the first one!) or give Read and Apply permissions to that specific
machine
> > (or a group it is contained in) on the Default Domain Group Policy.
Given
> > that it's a Domain Controller, I'd do it by giving Apply and Read
permission
> > to the group SCHALLER\Domain Controllers as that way you won't get any
nasty
> > surprises if/when you add new DC's.
> >
> > Hope that helps,
> >
> > AndyC
> >
> > "Daniel" <webmaster@nhscomputerclub.com> wrote in message
> > news:4cadd7d3.0405260702.3607e2bd@posting.google.com...
> > > So how do I fix this? All the other GPO objects are working except
> > > the password policy.
> > >
> > >
> > > "Andy Cadley" <ac@uea.ac.uk> wrote in message
> > news:<#awl#TwQEHA.4000@TK2MSFTNGP10.phx.gbl>...
> > > > If you look under Computer Configuration Summary -> Group Policy
> > Objects ->
> > > > Denied GPOs you'll notice that the Default Domain Policy is not
applying
> > to
> > > > that machine (due to security filtering). I think you'll find that
is
> > why
> > > > the password policy is not affecting the user.
> > > >
> > > > AndyC
> > > >
> > > > "Daniel" <webmaster@nhscomputerclub.com> wrote in message
> > > > news:4cadd7d3.0405251534.50a4cc5@posting.google.com...
> > > > > If you click here you can see my curent domain policy.
> > > > > http://www.nhscomputerclub.com/default%20domain%20policy.htm
> > > > > If you click here you can see the RSOP of this user
> > > > > http://www.nhscomputerclub.com/schaller.htm
> > > > >
> > > > > If you notice, the domain policy is affecting her for all of the
> > > > > policys except the account policys. What could be wrong? Also I
am
> > > > > sure that it is not a machine local account because we have roming
> > > > > profiles and it does connect here to her network drive.
> > > > >
> > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > news:<e8Gk8maQEHA.3944@tk2msftngp13.phx.gbl>...
> > > > > > Password complexity and length requirements are enforced on
> > > > > > the account at the next time when they change their password.
> > > > > > If a password exists that does not meet the requirements it is
not
> > > > > > forced to change, it would need to be expired so the account is
> > > > > > then forced to change their password (and meet the new reqs).
> > > > > >
> > > > > > That you have this user with blank pwd that _is_ being prompted
> > > > > > to change password but is being allowed to reenter a blank one
> > > > > > shows that either the account in use is a machine local account
> > > > > > or that the machine for some reason is not being subjected to
> > > > > > the GPO settings.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Server System: Security)
> > > > > > MCDBA, MCSE W2k3+W2k+Nt4
> > > > > > "Daniel" <webmaster@nhscomputerclub.com> wrote in message
> > > > > > news:4cadd7d3.0405240312.af6ed24@posting.google.com...
> > > > > > >I added the computer to the domain and it has the security
policy
> > that
> > > > > > > I set in the GPO editor. The user that logs in is asked to
enter
> > a
> > > > > > > new password but it just lets her type no password. (Is it
> > because I
> > > > > > > have no password set now?) Right now it is set up in both the
> > domain
> > > > > > > security policy and in the gpo which is enforced both to the
> > computer
> > > > > > > and to the users (not the admins) in teh account settings that
> > they
> > > > > > > have to enter a password of at least 7 characters with the
> > complexity.
> > > > > > > Is there any way I can fix this so that they have no password
now
> > and
> > > > > > > when they login with no password they have to enter a password
of
> > at
> > > > > > > least 7 characters with the complexity enabled.

Relevant Pages