Password Complexity issue

---

• From: "Steve Lundy" <SteveLundy@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 10 Aug 2005 12:56:03 -0700

---

Here's the deal. We're migrating over from NDS to AD and this is the process
in regards to the users:

Account is disabled orginally.
We enable the account, reset the password, and place the user in their
appropriate OU.

We go to the workstation and after putting them on the domain we log them in
using the initial password that is set to expire at logon. Here's where the
issue comes in. We have the password complexity requirements set to
"Disabled" on the Default Domain Policy and "not defined" on every other GPO
that we have. Yet they are still getting prompted that their password
doesn't meet the requirements. However, sometimes they don't get prompted
with the complexity issue. If we try to manually change their password after
successfully logging them in (sometimes they mistype their password, or don't
understand us when we tell them to put their novell password in when sync'ing
up the accounts b/w NDS and AD and they enter a totally different password,
thus they aren't sync'd up).

Here's what the settings are set at:

Enforce password history 24 passwords remembered
Maximum password age 120 days
Minimum password age 1 days
Minimum password length 5 characters
Password must meet complexity requirements Disabled
Store passwords using reversible encryption Disabled


Shouldn't the fact that it is disabled on the domain override whether or not
the password is compared against the requiremenst? It doesn't seem to be
happening that way. Any ideas? I had thought about changing the Min. Pass.
Age to 0, but wanted to get some feedback first. I believe that is the
setting that is causing the issues. This also happens if someone tries to
change their password later on after we get them logged in and running.
.

---

• Follow-Ups:
  • Re: Password Complexity issue
    • From: Dmitry Korolyov [MVP]

• Prev by Date: Re: "Prompt user to change password before expiration" A/D policy
• Next by Date: DR Options?
• Previous by thread: Screen Saver GPO - Need to exclude one machine
• Next by thread: Re: Password Complexity issue
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Password Complexity issue ... > This setting is independent from other settings defining minimum password ... >> Account is disabled orginally. ... >> Maximum password age 120 days ... >> Password must meet complexity requirements Disabled ... (microsoft.public.windows.server.active_directory) Re: Password Complexity issue ... "Password must meet complexity requirements" means that at the same time: ... characters ... > Account is disabled orginally. ... > Maximum password age 120 days ... (microsoft.public.windows.server.active_directory) Potential NDS for NT privilege escalation ... We contacted Novell ... machines are NT 4.0 SP6a Application: NDS for NT. ... Given a valid Novell NDS account of any security level ... as having "domain admin" rights over the NT domain can ... (NT-Bugtraq) Possible privilege escalation with NDS for NT ... We contacted Novell ... machines are NT 4.0 SP6a Application: NDS for NT. ... Given a valid Novell NDS account of any security level ... as having "domain admin" rights over the NT domain can ... (Bugtraq) Re: Password expires for no apparent reason ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ... Nice to hear from you Mr. Brian Delaney long time no chat. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-08