Re: Password must meet complexity requirements

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D6F0ABD-81A7-4498-AA84-9FC5BF22D274@xxxxxxxxxxxxxxxx
Thank You. This has solved my issue. I did not have the Default linked.
Once
I linked it, I am getting the complexity message.
Thank YOU!


You are welcome but there is still something inconsistent
about the symptoms and your reports.

If the Default didn't have the complexity settings then having
it linked wasn't (supposed to be) relevant to those settings.

(You would still want the default linked in almost all cases to
start from the MS defaults but I just don't see how its absence
would do any active harm.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Herb Martin" wrote:

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A0CE0C33-D8A6-4143-A380-73EDE4CA2A81@xxxxxxxxxxxxxxxx

OK. The Default Domain Policy must be linked but not enforced.
Within my Group Policy Manager, clicking on the domain object, I see
that
the linked policy is my password policy and the Default

That makes sense and should work for you.

If you have made changes to the Default that affect the password
policies then the policy that is APPLIED LAST will take precedence
(one of the reasons we suggest you never modify the Default Policies
but create your own policies for that.)


Domain Policy. Link order is 1 - password policy, 2 - Default Domain
Policy.
Both are linked, only password policy is enforced.

Default will win (as 2nd or last in order) IF there are conflicts.

Items which don't appear SET in both policies will be unaffected
by the one without that entry set.

I have tested with both a domain account and a local pc account. I will
replicate and see what happens.

"Herb Martin" wrote:

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B035FC47-873E-4CDC-9FE6-5BC6FD58F839@xxxxxxxxxxxxxxxx
DCdiag shows no errors. Everything passes. I tried running my test
by
password on a local user. The complexity rule works for the local
account,
just not my domain accounts.


Then you likely did NOT link to the DOMAIN but rather to
some OU.

The policy will only affect DOMAIN Accouts if you link it
to THE DOMAIN.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Jorge Silva" wrote:

Also check DC replication (e.g., DCDiag) since if some DC(s)
is (are) not replicated for that GPO then it won't apply if
pulled
from there.

that was going to be my next move...

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ueHjRXIyGHA.4232@xxxxxxxxxxxxxxxxxxxxxxx
Also check DC replication (e.g., DCDiag) since if some DC(s)
is (are) not replicated for that GPO then it won't apply if
pulled
from there.

Technically the actual GPOs are replicated with the File
Replication
System (of SysVol) but if the AD is replicated (and you aren't
experiencing other troubles) then likely it is replicated if AD
is.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:%23G1LAQIyGHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
On the server where you're performing these tests, check
Administrative
Tools -> Domain Security Policy.

This policy referes to Default Domain Policy, and it's
replicated
every 5
min accross DCs.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:63008EBF-55F0-4A12-9E11-C9833B791D1F@xxxxxxxxxxxxxxxx
I am sorry. I am using the GPO Management tool looking at the
PDC.
Is
there
somewhere else to see that it is refreshed?

"Jorge Silva" wrote:

Did you check if the policy on the DC is refreshed?

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A9E4A5B8-9883-4CFE-B02A-A63B571C4902@xxxxxxxxxxxxxxxx
The same result. The complexity piece just doesn't seem to
be
applied.

"Jorge Silva" wrote:

did you run the commands on the server?
What happens when you try to change the user's password on
the
server?

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:22CF15C2-12B7-45C1-A7A3-BC6997B90E18@xxxxxxxxxxxxxxxx
When I run a gpresult and net accounts, it show that the
policy
is
applied. I
have tested changing the password on an XP pc. It does
not
allow
me to
use
a
previous password or password less than 7 characters (as
I
put
in
my
policy).
But it doesn't seem to meet the complexity requirements.
I
am
able
to
change
the password to all lower case with no special characters
or
numbers.

"Herb Martin" wrote:

"Deb H" <DebH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:9B11A881-A048-402C-9A73-BCA7F3032548@xxxxxxxxxxxxxxxx
I have configured my Group Policy for the domain to
have
passwords
meet
the
complexity requirements. However, when I test this,
the
password
does
not
reflect complexity. Any Ideas on how I might correct
this?

Security Account Policies are ONLY EFFECTIVE at the
DOMAIN
level.
(Password, Kerberos, Lockout.)

You must link the GPO to the domain to see an effect
(not
OU
or
Site)
with these policies.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
























.

Relevant Pages

  • Re: Password must meet complexity requirements
    ... I am getting the complexity message. ... The Default Domain Policy must be linked but not enforced. ... (one of the reasons we suggest you never modify the Default Policies ... replicate and see what happens. ...
    (microsoft.public.windows.server.active_directory)
  • Re: password complexity
    ... If he means that he wants multiple complexity policies for users that reside in a single domain, that is not possible with any amount of GPO tweaking/blocking/filtering. ... The password policy for a domain is maintained in the domain policy, this is applied to the domain controllers directly, what policies user's in OUs have ... You can create a password policy on the deeper OU with the complexity policy explicity disabled - this will override the GP at the domain level which is applied before the OU's policies. ...
    (microsoft.public.win2000.active_directory)
  • Re: password policy/complexity
    ... The policy can only be defined at the domain level, ... than one GPO for the domain then configure account policies in the GPO at ... policies to not work as planned and running netdiag and dcdiag on the domain ... complexity] for a domain. ...
    (microsoft.public.win2000.security)
  • Re: Password Policy Issue
    ... Domain users password policies are controlled on domain controllers, there is one policy for all accounts on a given domain controller which is shared through out all DCs in a domain though you can corrupt things if you know what you are doing in such a way to have different policies on different DCs. ... Places that the complexity policy can be set for a member server are at the domain level, the OU level, the Site level, and in the local member server policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: GUI folders missing in \sysvoldomainpolicies
    ... Question is if the AD finding the policies is going to recreate back the necessary links and then replicate to the other DC? ... there shouldn't be any further steps to take than just re-create the GUID-folders in SYSVOL. ... Microsoft MVP - Windows Server - Group Policy. ...
    (microsoft.public.windows.server.active_directory)
Loading