RE: Default Domain Password settings going down to client but not

Hi There!

We have been facing similar issue where we have enabled "Password must meet
complexity requirements" in our Windows 2000 Active Directory Domain in
"Default Domain Policy" "Security Settings" and still we are able use very
simple passwords in "Reset Passwords" and new account creations. Though, we
have been applying policy through running SECEDIT on the DCs, replicating the
NTDS Connections, applying policy throguh GPUPDATE on XP workstation, but
still the problem is same.

Does anyone can help us in resolving this issue.

Arif

"ecold" wrote:

> Well, I figured it out. I set it all in the Domain Security Policy. Now
> before you say Duh, Everything I had read said it could only be defined once.
> Nothing was define in either it or the Domain Controller security policy.
> Instead, it was only in our Default Domain Policy but apparently, it still
> only affects Local accounts with that policy. So, it now works as advertised.
> Thanks to all who strained a brain muscle to figure it out.
>
> "ecold" wrote:
>
> > Paul,
> >
> > No errors of such. Actually no errors at all with policies. Any other ideas?
> >
> > "Paul Hinsberg" wrote:
> >
> > > Are there any errors in the event viewer, usually they show up as SECEDIT
> > > issues? Sometimes deleted user accounts and groups can cause problems for
> > > the propagation of policies.
> > > --
> > > Paul Hinsberg
> > >
> > >
> > > "ecold" wrote:
> > >
> > > > Paul,
> > > > It is not the Default Domain Controller policy, I looked there to make sure
> > > > there wer no conflicts but it is not that one. Also, it has been two days and
> > > > I did run GPUPDATE /Force, even on DCs and rebooted them all.
> > > >
> > > > "Paul" wrote:
> > > >
> > > > > Did you mistakenly adjust the Default DOMAIN CONTROLLER Policy? This is a
> > > > > common issue - so please don't be offended.
> > > > >
> > > > > Also, once you change the policy it is not immediately updated on the
> > > > > machine. You would want to run GPUPDATE to put the policy change into affect.
> > > > > --
> > > > > Paul Hinsberg
> > > > >
> > > > >
> > > > > "ecold" wrote:
> > > > >
> > > > > > Below are my Default Domain policy settings for passwords. It shows up on the
> > > > > > DC as Default Security policy but, I can use 123 as my password and it will
> > > > > > accept it. What am I missing? This is supposed to go into effect tomorrow but
> > > > > > it doesn't do me any good if they can make it anything. Then there's the
> > > > > > problem of if I get it working, it requiring them to change it again. We are
> > > > > > 2003 DCs with SP1 but are still on 2000 native. Moving to 2003 in about 1-2
> > > > > > months. Any help would be appreciated and there are no other domain level
> > > > > > password policies.
> > > > > >
> > > > > > Account Policies/Password Policy
> > > > > > Policy Setting
> > > > > > Enforce password history 24 passwords remembered
> > > > > > Maximum password age 60 days
> > > > > > Minimum password age 1 days
> > > > > > Minimum password length 8 characters
> > > > > > Password must meet complexity requirements Enabled
> > > > > > Store passwords using reversible encryption Disabled
> > > > > >
> > > > > > Account Policies/Account Lockout Policy
> > > > > > Policy Setting
> > > > > > Account lockout duration 15 minutes
> > > > > > Account lockout threshold 3 invalid logon attempts
> > > > > > Reset account lockout counter after 15 minutes
> > > > > >
> > > > > > Account Policies/Kerberos Policy
> > > > > > Policy Setting
> > > > > > Enforce user logon restrictions Enabled
> > > > > > Maximum lifetime for service ticket 600 minutes
> > > > > > Maximum lifetime for user ticket 10 hours
> > > > > > Maximum lifetime for user ticket renewal 7 days
> > > > > > Maximum tolerance for computer clock synchronization
> > > > > >
.

Relevant Pages