Re: password complexity

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 04/24/04 

Date: Sat, 24 Apr 2004 14:15:51 -0700

Marin and Dave,

Here is what is happening when you remove the domain policy - account policy
setting for password complexity:

1) the domain policy for password complexity is removed from the DCs
2) The local DC policy is still set for "password complexity" (you can see
this from the "local security policy" on the DC
3) You can go into the local security policy on EACH DC and remove this
setting, if you want no password complexity.

Give me a while, and I can see how this effects multiple DCs in the same
domain. This is only on a single DC in the domain. 

-- 
Derek Melber
BrainCore.Net
derekm@braincore.net
"Marin Marinov" <mlmarinov@askme.ca> wrote in message
news:MPG.1af49c2e7513dfb7989715@msnews.microsoft.com...
> <snip>
> OK, a final one from me :) Seems that if you just disable the "Minimum
> password length" it leaves the setting in the state it was before you
> disabled it. For example, if it specified min 4 characters then even
> after you disable it you still cannot create a password shorter than
> that. I was really surprised at that, I didn't understand GPs this way
> but that what the experiment proved. So what you should do is set it to
> 0, i.e. "no password" and leave it this way so everybody can notice what
> the configuration is (and not wonder over such "mysterious" happenings).
>
> HTH
> -- 
> Cheers,
>    Marin Marinov
>    MCT,MCSE 2003,MCSE:Security 2003
> -
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Relevant Pages

  • Re: What Happened? Passwords all expired...
    ... really explain how the new account policy settingmade it to the DCs. ... I would strongly suggest enabling Success/Failure for Account Management ... >>>post that says "I check my GPO's and password complexity ... >>>>account logon events success and fail ...
    (microsoft.public.win2000.active_directory)
  • Re: GPO - password policy - Urgent
    ... Set password complexity to "disabled" - NOT undefined in Domain ... You can also use the mmc snapin for Resultant Set of Policy [again ... assuming Windows 2003] in logging mode on the domain controller to see what ... problems being that domain controllers are not pointing only to themselves ...
    (microsoft.public.windows.server.security)
  • 2003 GP/Password complexity questions
    ... I have a new 2003 AD domain and am looking for some guidance with the ... In regard to password complexity being enabled by default, ... policy options to disable this in the "Default Domain Policy" and I've ... best to use separate GPO's for both. ...
    (microsoft.public.windows.server.active_directory)
  • Re: User Creation
    ... Didn't catch which version of Windows Active Directory you were running? ... > trivial matter of creating user accounts made me so ... >>W2k3 by default has password complexity enabled in Default ... >>password doesnot meet the password policy requirements. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security hierarchy
    ... >would only apply to local machine accounts if domain policy is overridden.. ... that password complexity should not be enforced although it ... Local setting show ... >> I reboot the DC. ...
    (microsoft.public.win2000.security)