none
Custom Password Policy Settings

    Question

  • Hello Friends,

    I am doing the server practical in virtual environment and wish to set a normal password for the test user "Robert Garcia"  so I disabled the password policy requirement in the gpmc.msc under "Default Domain Policy" and then did a gpupdate so that I can set a password as garcia for the user robert but it did not work. I did a system reboot then also it did not work.

    I did the same thing for the Default Domains Controller Policy option and still it is not working .

    What should be the correct method to disable this as I am in a test environment and simply want to keep simple passwords. Is there any requirement for system reboot or gpupdate should work and what could be the reason here that it is not working in either of the case??

    Thanks

    I noticed that I can't set a number as a password say 65789867 but when I disable the things in default domain policy then I can set the password  but still not the simple text garcia so what I need to edit and where now.

    Also if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy

    I can set a normal text as password but not the user's last name as password where I can change this customization. I understand that in production environment its not suggested but just in case where to do the customization??

    Thanks

    Regards

    Thursday, August 14, 2014 10:14 AM

Answers

  • Hi,

    In my testing environment, gpupdate is enough to make the policy changes taking effects.

    Here are a few suggestions for you:

    1. Please make sure that the Default Domain Policy is link enabled.
    2. Other than the Password must meet complexity requirements setting, please also disable other ones like Enforce password history, Minimum password length.
    3. If there is any password policy setting set as Not Defined in Default Domain Policy, please check password policy from Local Security Policy, in which settings could override the Not Defined ones.

    >if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy

    You may need to develop scripts to achieve this goal.

    The Official Scripting Guys Forum

    http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG

    Best Regards,

    Amy

    • Proposed as answer by Shuki Noy Friday, August 15, 2014 8:50 AM
    • Marked as answer by Server 20XX Sunday, August 17, 2014 6:57 PM
    Friday, August 15, 2014 7:31 AM
  • Hi,

    1. With Group Policy link, we can link existing GPO to another scope, and if there are multiple GPO configured on one scope, we can alter the GPO applying order by link order. In addition, we can keep GPO from taking effects by disable the link after the GPO is configured.

    2. why is it necessary to disable the other ones if I only wish to apply the complexity thing? Are they inter-related?

    They are not inter-related, that’s why we need to evaluate them separately. According to your description, you can set a password like 65789867, but not Garcia, which got me thinking that it might be restricted by the password length instead of complexity. Regarding Enforce password history policy, if Garcia was used as password before, then we may not set it as password again with the Enforce password history policy enabled.

    3. So, apart from these available settings for any other customization do I need to go for scripting??

    Yes, apart from all settings of existing Windows password policies, scripting might be the only way to achieve other customizations.

    • Marked as answer by Server 20XX Wednesday, August 20, 2014 10:47 AM
    Tuesday, August 19, 2014 8:39 AM

All replies

  • Hi,

    In my testing environment, gpupdate is enough to make the policy changes taking effects.

    Here are a few suggestions for you:

    1. Please make sure that the Default Domain Policy is link enabled.
    2. Other than the Password must meet complexity requirements setting, please also disable other ones like Enforce password history, Minimum password length.
    3. If there is any password policy setting set as Not Defined in Default Domain Policy, please check password policy from Local Security Policy, in which settings could override the Not Defined ones.

    >if I need to enable a password policy like the first letter should be capital etc etc then where I can do this customization of password policy

    You may need to develop scripts to achieve this goal.

    The Official Scripting Guys Forum

    http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG

    Best Regards,

    Amy

    • Proposed as answer by Shuki Noy Friday, August 15, 2014 8:50 AM
    • Marked as answer by Server 20XX Sunday, August 17, 2014 6:57 PM
    Friday, August 15, 2014 7:31 AM
  • Hello Amy,

    Thank you for the detailed reply. As you said that I need to make sure that the default domain policy is link enabled, did you mean that it should be linked to the domain with a small arrow as if it is attached to the domain?

    I was also doing another practical for AD CS where the things did not work out initially, though once I linked the newly created GPO then they worked fine. I could not understand the logic of explicitly attaching it to the domain if it is already below the domain when we click on the plus sign. Why there is a special need to link them do the domain?? Am I allowed to ask such queries as well in the forum or not? Like the queries regarding the logical concepts or shall I stick to how to queries only??

    2) I will do that though just a query that why is it necessary to disable the other ones if I only wish to apply the complexity thing? Are they inter-related?

    3) I will do that :)

    So, apart from these available settings for any other customization do I need to go for scripting??

    Could you please also let me know that here in the forum where I can enable the new reply notifications for my started thread and the ones I wish to subscribe to be a part of the discussion?? I could not locate a subscription button to get notifications like we get in vbulletin and other forums. I tried to opt for the alert settings at the top left of the thread but it does not give the option I was looking for.

    Thanks

    Regards


    Sunday, August 17, 2014 6:57 PM
  • Hi,

    1. With Group Policy link, we can link existing GPO to another scope, and if there are multiple GPO configured on one scope, we can alter the GPO applying order by link order. In addition, we can keep GPO from taking effects by disable the link after the GPO is configured.

    2. why is it necessary to disable the other ones if I only wish to apply the complexity thing? Are they inter-related?

    They are not inter-related, that’s why we need to evaluate them separately. According to your description, you can set a password like 65789867, but not Garcia, which got me thinking that it might be restricted by the password length instead of complexity. Regarding Enforce password history policy, if Garcia was used as password before, then we may not set it as password again with the Enforce password history policy enabled.

    3. So, apart from these available settings for any other customization do I need to go for scripting??

    Yes, apart from all settings of existing Windows password policies, scripting might be the only way to achieve other customizations.

    • Marked as answer by Server 20XX Wednesday, August 20, 2014 10:47 AM
    Tuesday, August 19, 2014 8:39 AM
  • 4. Could you please also let me know that here in the forum where I can enable the new reply notifications for my started thread and the ones I wish to subscribe to be a part of the discussion??

    Please perform following steps:

    1. Choose My settings after click on Quick Access, which is located at the upper left corner.

    2. Then input a valid email address to receive email notifications.

    3. After the email address is validated, notifications of those threads we have replied will be sent to this email address.

    4. For those threads we didn’t reply but want to monitor, we can select the Alert Me option right under the title of threads.

    Best Regards,

    Amy

    Tuesday, August 19, 2014 8:42 AM
  • Hello,

    By scope you mean domain or the scope of the policy.

    I got you for the 2nd point as might be a setting in one policy could be conflicting with other one. I was doing the practical on a fresh installation of a server and new forest in a domain but I got you as it could be conflicting incase Garcia been used in the past.

    I will skip the scripting part as of now better stick to GUI whatever available. I did the alert thing before and saw the email box. I was wondering what email does it asking now, if I am already there with the account, was in the feel of vbulletin and similar forums where you simply get notified by clicking on the available option. The settings option under Quick access is referring to the same option what I was getting by clicing on alert. I guess, it does for the new user  as I did not confirm my email for alerts and now I can get alerted whenever I wish.

    Thank you Amy, for the wonderful and detailed explanations for my queries. Do we have something best answer or similar thing here in technet as we do in Yahoo Answers? I already marked the replies as answer, does it make any relevancy if I mark multiple replies as answers? anything else that I can do? Or do we need to close the topic now so that if one has queries then can refer this or better start a new thread for the same as this one is like a blog post now where we have the query and the perfect answer for it.

    Thanks
    Regards


    • Marked as answer by Server 20XX Wednesday, August 20, 2014 11:21 AM
    • Unmarked as answer by Server 20XX Wednesday, August 20, 2014 11:21 AM
    Wednesday, August 20, 2014 11:21 AM
  • Hi,

    I am really glad of being helpful to you.

    In our forum, helpful replies can be marked and voted, after replies have been marked, forum community members are able to search for these useful posts easily, and it is OK to mark multiple replies as long as they are helpful.

    This thread will remain open and other forum members can refer to it and add comments. If people who have similar issues find answers in this thread, they can solve their problems efficiently by referring to this thread, and it is always welcomed to start a new thread if we have different issues.

    Please don’t hesitate to let us know if you encounter other issues in the future.

    Best Regards,

    Amy

    Thursday, August 21, 2014 2:11 AM
  • Hi,

    You were amazing and gave me a wonderful experience here in my first post itself. Can't say about the things in future but it was an awesome start as I have seen forums where people just refer Google or post silly replies as if they were a born geek.

    Though I do Google before posting anything to avoid duplicatability. I will surely ask things in relevant sub-forums here.

    Thank you
    • Edited by Server 20XX Thursday, August 21, 2014 5:55 PM
    Thursday, August 21, 2014 11:25 AM