none
windows server 2008 password complexity

    Question

  • The option is dim when I go to

     

    1. Click Start > Run, type gpedit.msc > click OK
    2. Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

    3. The option for disable "Password must meet complexity requirement" is dim and cannot be changed from enabled,

    Server 2008 ent x86
    primary domain controller,    Complexity removed for domain users, Help

     

    Please advise.

    Tuesday, May 26, 2009 9:53 AM

Answers

  • Howdie!

    It is dimmed because the setting is already defined in a domain Group Policy -- you cannot overwrite a domain GP by using a local policy. Launching gpedit.msc always triggers machine-local GP.

    Use RSOP.msc to find the domain Group Policy that handles that setting and re-configure it using the Group Policy Management Console (GPMC) accordingly.

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, May 26, 2009 10:46 AM
  • Howdie!

    By default, the complexity setting is enabled, which means that users require strong passwords with complexity. You shouldn't change that.

    Other than that, all I can say is that in a fresh domain, you should be able to open the "Default Domain Policy" in GPMC.msc and change settings, if required. The "Default Domain Policy" is where the Password Policy gets stored.

    If there are other Group Policies linked at the domain level (you can see that in GPMC), you need to check those settings, too.


    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, May 26, 2009 12:14 PM
  • heres a good white paper that explains the password settings
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    Wednesday, May 27, 2009 7:21 AM

All replies

  • Hello Virtual,

    Are you logon as a Domain Administrator?
    Isaac Oben MCITP:EA, MCSE
    Tuesday, May 26, 2009 10:18 AM
  • Howdie!

    It is dimmed because the setting is already defined in a domain Group Policy -- you cannot overwrite a domain GP by using a local policy. Launching gpedit.msc always triggers machine-local GP.

    Use RSOP.msc to find the domain Group Policy that handles that setting and re-configure it using the Group Policy Management Console (GPMC) accordingly.

    Cheers,
    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, May 26, 2009 10:46 AM
  • Thanks every so much for your fast reply,  

    I am logged on as the domain admin   And i have just tried the suggested with   RSOP.msc   with no joy still dim


    Tuesday, May 26, 2009 10:58 AM
  • RSOP.msc doesn't do anything with the policy - it is a Reporting "Tool" to check what GP settings apply to a given machine/user combination and tells you what settings are configured by which GPO.

    Re-run RSOP.MSC and browse to Computer Configuration\Windows Settings\Security Settings\ and check, which policy is authoritative for that setting (the very last column indicates that).

    If you have a "fresh" domain with no messing on the GPs, the GP that dictates that feature is most likely the Default Domain Policy as it holds all Password Policy settings (complexity is one of them). Opening GPMC and editing the Default Domain Policy should to the trick for you.

    Also, please note that disabling complexity is a very bad thing to do. You should have good reason to do so ( - users who constantly forget their passwords aren't!). You really decrease overall security of user accounts and all data users work with.

    Cheers,
    Florian


    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, May 26, 2009 11:07 AM
  • Hi first off thanks every so for all your help,

    I have done this and found the option to turn it off, But i still need a strong password??  

    rebooting the server now,   This is a fresh install so not sure,    This is a home domain with just a few people on it, Setting it up for my MSCE

    Tuesday, May 26, 2009 12:02 PM
  • Howdie!

    By default, the complexity setting is enabled, which means that users require strong passwords with complexity. You shouldn't change that.

    Other than that, all I can say is that in a fresh domain, you should be able to open the "Default Domain Policy" in GPMC.msc and change settings, if required. The "Default Domain Policy" is where the Password Policy gets stored.

    If there are other Group Policies linked at the domain level (you can see that in GPMC), you need to check those settings, too.


    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Tuesday, May 26, 2009 12:14 PM
  • heres a good white paper that explains the password settings
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    Wednesday, May 27, 2009 7:21 AM
  • After you make changes to GPMC make suer to click start>run and type gpupdate then press enter. This would make sure that the changes take effect.

    www.arthursit.blogspot.com

    Wednesday, August 25, 2010 5:19 PM
  • RSOP.msc doesn't do anything with the policy - it is a Reporting "Tool" to check what GP settings apply to a given machine/user combination and tells you what settings are configured by which GPO.

    Re-run RSOP.MSC and browse to Computer Configuration\Windows Settings\Security Settings\ and check, which policy is authoritative for that setting (the very last column indicates that).

    If you have a "fresh" domain with no messing on the GPs, the GP that dictates that feature is most likely the Default Domain Policy as it holds all Password Policy settings (complexity is one of them). Opening GPMC and editing the Default Domain Policy should to the trick for you.

    Also, please note that disabling complexity is a very bad thing to do. You should have good reason to do so ( - users who constantly forget their passwords aren't!). You really decrease overall security of user accounts and all data users work with.

    Cheers,
    Florian


    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog

    detail when taking Florian advice :

    go to group policy management, go to the forest that contain your domain, go to "Domains", and then choose your domain, and choose Domain Default Policy, and choose "settings" tab, expand through : policies -> windows settings -> security settings -> account policy / password policy -> policy and under there you'll find settings about complexity password.

    right click on item about complexity password, and choose edit -> it will open group policy management editor.

    from there you edit the complexity password (and it will not dimmed again, you can enable or disable it)

    • Proposed as answer by djkelly99 Thursday, July 26, 2012 10:49 AM
    Wednesday, May 30, 2012 10:54 AM
  • Thanks for the extra detail Edward.  This worked perfectly for me.
    Thursday, July 26, 2012 10:16 AM
  • Soo glad I found this article, I struggled with "web" searches for hours. Should have come here in the first place

    Thanks again

    Thursday, May 16, 2013 4:56 PM