RE: Default Domain Password settings going down to client but not

Arif,

I'm not sure about 2000, I can't remember but, make sure on your DCs, that
the Domain Security Policy and the Domain Controller Security Policy are not
fighting. In other words, make sure the password settings only exist in one
or the other, preferably the Domain Security Policy.

"Arif Bijle - bijleai@xxxxxxx" wrote:

> Hi There!
>
> We have been facing similar issue where we have enabled "Password must meet
> complexity requirements" in our Windows 2000 Active Directory Domain in
> "Default Domain Policy" "Security Settings" and still we are able use very
> simple passwords in "Reset Passwords" and new account creations. Though, we
> have been applying policy through running SECEDIT on the DCs, replicating the
> NTDS Connections, applying policy throguh GPUPDATE on XP workstation, but
> still the problem is same.
>
> Does anyone can help us in resolving this issue.
>
> Arif
>
> "ecold" wrote:
>
> > Well, I figured it out. I set it all in the Domain Security Policy. Now
> > before you say Duh, Everything I had read said it could only be defined once.
> > Nothing was define in either it or the Domain Controller security policy.
> > Instead, it was only in our Default Domain Policy but apparently, it still
> > only affects Local accounts with that policy. So, it now works as advertised.
> > Thanks to all who strained a brain muscle to figure it out.
> >
> > "ecold" wrote:
> >
> > > Paul,
> > >
> > > No errors of such. Actually no errors at all with policies. Any other ideas?
> > >
> > > "Paul Hinsberg" wrote:
> > >
> > > > Are there any errors in the event viewer, usually they show up as SECEDIT
> > > > issues? Sometimes deleted user accounts and groups can cause problems for
> > > > the propagation of policies.
> > > > --
> > > > Paul Hinsberg
> > > >
> > > >
> > > > "ecold" wrote:
> > > >
> > > > > Paul,
> > > > > It is not the Default Domain Controller policy, I looked there to make sure
> > > > > there wer no conflicts but it is not that one. Also, it has been two days and
> > > > > I did run GPUPDATE /Force, even on DCs and rebooted them all.
> > > > >
> > > > > "Paul" wrote:
> > > > >
> > > > > > Did you mistakenly adjust the Default DOMAIN CONTROLLER Policy? This is a
> > > > > > common issue - so please don't be offended.
> > > > > >
> > > > > > Also, once you change the policy it is not immediately updated on the
> > > > > > machine. You would want to run GPUPDATE to put the policy change into affect.
> > > > > > --
> > > > > > Paul Hinsberg
> > > > > >
> > > > > >
> > > > > > "ecold" wrote:
> > > > > >
> > > > > > > Below are my Default Domain policy settings for passwords. It shows up on the
> > > > > > > DC as Default Security policy but, I can use 123 as my password and it will
> > > > > > > accept it. What am I missing? This is supposed to go into effect tomorrow but
> > > > > > > it doesn't do me any good if they can make it anything. Then there's the
> > > > > > > problem of if I get it working, it requiring them to change it again. We are
> > > > > > > 2003 DCs with SP1 but are still on 2000 native. Moving to 2003 in about 1-2
> > > > > > > months. Any help would be appreciated and there are no other domain level
> > > > > > > password policies.
> > > > > > >
> > > > > > > Account Policies/Password Policy
> > > > > > > Policy Setting
> > > > > > > Enforce password history 24 passwords remembered
> > > > > > > Maximum password age 60 days
> > > > > > > Minimum password age 1 days
> > > > > > > Minimum password length 8 characters
> > > > > > > Password must meet complexity requirements Enabled
> > > > > > > Store passwords using reversible encryption Disabled
> > > > > > >
> > > > > > > Account Policies/Account Lockout Policy
> > > > > > > Policy Setting
> > > > > > > Account lockout duration 15 minutes
> > > > > > > Account lockout threshold 3 invalid logon attempts
> > > > > > > Reset account lockout counter after 15 minutes
> > > > > > >
> > > > > > > Account Policies/Kerberos Policy
> > > > > > > Policy Setting
> > > > > > > Enforce user logon restrictions Enabled
> > > > > > > Maximum lifetime for service ticket 600 minutes
> > > > > > > Maximum lifetime for user ticket 10 hours
> > > > > > > Maximum lifetime for user ticket renewal 7 days
> > > > > > > Maximum tolerance for computer clock synchronization
> > > > > > >
.

Relevant Pages

  • Re: Limit number of login attemps on Windows server 2003 - where to set this up?
    ... The Domain Security Policy applies to all computers in the ... and the Domain Controller Security Policy only applies to Domain ... > I'm setting up a single server at our small office with Win 2003 server. ...
    (microsoft.public.windows.server.general)
  • Re: Automatic OU Assigning
    ... and can I automate that in any way? ... Whats the difference between: Domain Controller Security Policy, ... Domain Security Policy, and the Group policies? ... Domain Security Policy is the level above "group" policies, ...
    (microsoft.public.win2000.active_directory)
  • Re: Cannot open Domain Security Policy on 2003 DC
    ... You can run into this problem if it's corrupt, ... back and edit the Domain Security Policy again to reflect what you want. ... on the right hand window it says ...
    (microsoft.public.win2000.group_policy)
  • Re: Domain Security Policy and windows 2003
    ... I accidently imported the wrong domain security policy on my ... > security policy that windows 2003 uses when you first setup windows ... Hello Budyerr, ...
    (microsoft.public.windows.server.active_directory)
  • Dummy question...
    ... On one of my 4 DC's, I cannot find in the Administrator tools area the ... Domain Security Policy or the Domain Controller Security Policy?? ...
    (microsoft.public.win2000.security)
Quantcast