none
Local Security Policy, Default Domain Security Settings, Domain Controller Security Settings...

    Question

  • Good day guys,

         I would like to know these 3 Security Settings what are those by default are set?

         Or any related links on what are those by default are set.

         Thanks and Regards,

         Cheers... 

    Friday, April 02, 2010 2:38 PM

Answers

  • while domain functional level is Windows Server 2003 or lower this is not possible. Because there is one additonal requirement (as I sayed) — password policy MUST be inherited to Domain Controller container. However for particular policy setting only one winning GPO may exist.
    http://www.sysadmins.lv
    • Marked as answer by radical93 Sunday, April 04, 2010 2:21 AM
    Saturday, April 03, 2010 6:28 PM

All replies

  • Hi

    The following info should answer all your questions regarding the default settings and everything else for all current MS OS's. (the guidance doc's detail the defaults & best practise).

    http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en

    Douks

    • Proposed as answer by Douks Friday, April 02, 2010 2:50 PM
    Friday, April 02, 2010 2:50 PM
  • Good Day Douks,

         Based on my findings, observation, testing, and research regarding this Default Domain Security Settings stated below:

         Default Domain Security Settings: You use this interface to set security policies for all computers in a domain. These settings override the Local Computer Policy settings for domain members if there is a conflict between the two. This interface is accessed via the Group Policy tab in the Properties of the domain node in Active Directory Users and Computers (Administrative Tools menu).  With this link:  http://www.windowsecurity.com/articles/Understanding-Roles-Server-2003-Security-Policies.html.

         I have wonder that when I set the all the entry at Password Policy under Account Policies "not defined" at Domain Controller, I set these at Control Panel, Administrative Tools, then Domain Security Policy,  then I set one user at ADUC "User must change password at next logon" is still gives me a message of "not meet the password complexity, password length, password history, on the client I make sure that Password Policy under Account Policies are all "not defined", I have read that there is a certain file on the Domain Controller under sysvol\domain\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit which is "gpttmpl.inf" which stores these settings, and if you modify these settings it will modify all across member servers as well the Domain Security Policy at Control Panel, Administrative Tools.

         Is still gives me a message of "not meet the password complexity, password length, password history even I set it all "not defined" is there somewhat cached settings that needs to be cleared?

         Any suggestions, clarifications, recommendations it will be a great help.

         Thanks and Regards,

         Cheers...

    • Edited by radical93 Friday, April 02, 2010 3:19 PM Added Information...
    Friday, April 02, 2010 3:08 PM
  • You haven't clarified which OS's you are using, or the domain mode in operation. I assume you've run gpupdate (as you can see the settings as undefined on the client - presumably via Local Security Settings MMC) & rebooted if necessary. Please provide more specific details which should enable me to help. Also are you trying to reset the password while logging on to the DC itself or a different client PC?

    There are default settings for policies that will apply if nothing is not defined. For example, in an XP/2003 environment the following would hold true for the setting you're having trouble with (note that if you're trying to reset the pwd on a DC then the setting will be enabled by default)...

    Password must meet complexity requirements

    This security setting determines whether passwords must meet complexity requirements.

    If this policy is enabled, passwords must meet the following minimum requirements:

    Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
    Be at least six characters in length
    Contain characters from three of the following four categories:
    English uppercase characters (A through Z)
    English lowercase characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphabetic characters (for example, !, $, #, %)
    Complexity requirements are enforced when passwords are changed or created.

    Default:

    Enabled on domain controllers.
    Disabled on stand-alone servers.

    Note: By default, member computers follow the configuration of their domain controllers.

    ------------------------

    PS. If you happen to be using W2K then the following may be of interest too...
    http://support.microsoft.com/default.aspx/kb/226243?p=1 (You'll need to be logged in to windows live to view).

    Also, try piping out a gpresult to file just to confirm the policies that are being applied.

     

    Friday, April 02, 2010 3:39 PM
  • Good Day Douks,

         I use Windows Server 2003 with Windows XP Pro and Windows Vista, Windows 7, in nature when applying it on group policy it will enabled by default even if you set all these entries "not defined".

         Thanks and Regards,

         Cheers...

    Friday, April 02, 2010 4:28 PM
  • The default setting have changed with the later operating systems. Try setting the Default Domain policies to Disabled rather than Not Configured & let me know the result.
    Friday, April 02, 2010 4:41 PM
  • Good day douks,

         At the GPMC, Group Policy Objects, then Default Domain Policy right clicking this item then GPO Status, I set it to "All Settings Disabled" same thing happens.

         Is there any security updates to be installed to correct this ones?

         Thanks and Regards,

    • Edited by radical93 Friday, April 02, 2010 5:03 PM Added Questions...
    Friday, April 02, 2010 4:50 PM
  • Hello again

    Changing the GPO status to "All Settings Disabled" will just prevent the policy from applying - it won't change the default settings of the individual policy settings on the client computers or necessarily put them back to what they were. First put this back to how it was before... & then...

    Go to GPMC, select Default Domain Policy, right click & select edit. Expand computer configuration->Policies->Security Settings->Account Policies->Password Policy. Right click Passwords must meet complexity requirements, and then click Properties. Make sure there is a tick in Define this policy setting box & then select the Disabled option.

    Wait for replication if applicable & then gpupdate the client.

    To check the client has picked up the correct setting, open the Local Security Settings MMC on the client itself. Expand Account Policy->Password Policy. Check the setting on Passwords must meet complexity requirements. It should be disabled!

    If it is try & change the password again - complexity requirements shouldn't be enforced.

    Cheers 

    Friday, April 02, 2010 5:08 PM
  • Good Day Douks,

         I already do what you instruct but same thing happens I already do both on Domain Controller and as well on the client below:

         gpupdate /force /wait:0 /logoff /boot /sync - Client PC

         gpupdate /force /wait:0 logoff /boot - Server

         When also I checked the client local security settings it won't picked up the correct settings since I enabled or disabled all the entry on Password Policy, using the many ways on the client PC, by 1.) Control Panel, Administrative Tools, then Local Security Policy 2.) MMC, Add/Remove Snap-in, then add Group Policy Object Editor 3.) Start, Run, then type "gpedit.msc", both on Windows XP and Windows Vista, Windows 7.

         Enabled or Disabled, Not Defined or Defined all the entry at Password Policy under Account Policies, same thing happens with the message of "not meet password length, history, and complexity...", this is somewhat strange happend, or there is a security update, patches?

         Is there any suggestions, clarifications, recommendations it will be a great help.

         Thanks and Regards,

         Cheers...

    Friday, April 02, 2010 7:09 PM
  • OK, before we troubleshoot any deeper please confirm the following:

    1. The Default Domain Policy is Enabled.

    2. When you look a the Default Domain Policy in GPMC on a DC, the "Passwords must meet complexity requirements" is Disabled.

    3. On the client machine, following a gpupdate, the "Passwords must meet complexity requirements" is still set as Enabled.

    4. There are no other policies with a higher order of precedence that could be taking priority over the Default Domain Policy settings for "Passwords must meet complexity requirements".

    5. You have checked that the client is recieving other policies correctly (ie it doesn't have another fundamental domain membership issue). Please make sure the machanism is working for everything else.

    If all these conditions are true then we will need to look a little deeper into why the Default Domain Policy settings are not applying to the client.

    Please run gpresult>c:\gp.txt at an administrative command prompt on the client and then post the contect of gp.txt to the forum.

    Thanks - I'm sure we can sort this out for you...

    Douks

    Friday, April 02, 2010 7:25 PM
  • Hi radical93

    I'm going offline for a few hours shortly & will be away for the majority of tomorrow. I'll keep an eye out for your next update & do my best to help when I'm back if you've still got issues.

    Cheers & Happy Easter

    Douks

    Friday, April 02, 2010 9:22 PM
  • Good Day Douks,

         1. The Default Domain Policy is Enabled - Yes, all of the entry at Password Policy - Not Defined.   

         2. When you look a the Default Domain Policy in GPMC on a DC, the "Passwords must meet complexity requirements" is Disabled - Yes, all of the entry at Password Policy - Not Defined.

         3. On the client machine, following a gpupdate, the "Passwords must meet complexity requirements" is still set as Enabled - No, all of the entry at Password Policy - Not Defined.

         4. There are no other policies with a higher order of precedence that could be taking priority over the Default Domain Policy settings for "Passwords must meet complexity requirements" - No, I do have a group policy on a certain OU but with the same settings all of the entry at Password Policy - Not Defined.

         5. You have checked that the client is recieving other policies correctly (ie it doesn't have another fundamental domain membership issue). Please make sure the machanism is working for everything else - Yes, it is receiving group policy correctly for the OU like desktop wallpaper, prevent changing desktop wallpaper, software installation using .MSI, mapping of drives using batch file scripts - under User Configuration,  set the slow link detection - under Computer Configuration.  All of these are working fine, and there is no domain membership issue.

         Here is the gpresult below:

    icrosoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 4/3/2010 at 7:08:53 AM

    RSOP results for CENTRAL\offcen2 on OffcenPC2 : Logging Mode
    -------------------------------------------------------

    OS Type:                     Microsoft Windows XP Professional
    OS Configuration:            Member Workstation
    OS Version:                  5.1.2600
    Domain Name:                 CENTRAL
    Domain Type:                 Windows 2000
    Site Name:                   CENTRAL
    Roaming Profile:            
    Local Profile:               C:\Documents and Settings\offcen2
    Connected over a slow link?: No

    COMPUTER SETTINGS
    ------------------
        CN=OffcenPC2,CN=Computers,DC=mydomain,DC=com
        Last time Group Policy was applied: 4/3/2010 at 6:53:59 AM
        Group Policy was applied from:      server1.mydomain.com
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Local Group Policy

        The computer is a part of the following security groups:
        --------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            Offcen
           

    USER SETTINGS
    --------------
        CN=Office_Center_2,OU=Offcen,OU=OFS2,DC=mydomain,DC=com
        Last time Group Policy was applied: 4/3/2010 at 7:00:17 AM
        Group Policy was applied from:      server1.mydomain.com
        Group Policy slow link threshold:   0 kbps

        Applied Group Policy Objects
        -----------------------------
            Office_Center2_Policy
            Local Group Policy

        The user is a part of the following security groups:
        ----------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            LOCAL
            Offcen

         Hope this will help you to findout on how the Password Policy are all set "Not Defined" on both Default Domain Security Policy and Group Policy on Offcen OU, Local Group Policy at client, but still have a message of "Not meet password history, password length, and password complexity" when I set one user at OU on Offcen "User must change password at the next logon"?

         Is in nature that when you set all the entry at Password Policy on the first time to be enabled or defined once you build Domain Controller with Default Domain Policy Settings you cannot change it, modify it to set "Not Defined" it will be forever defined and enabled.

         Any related links, suggestions, clarifications, recommendations it will be a great help.

         Thanks and Regards,

         Cheers and Happy Easter...

    • Edited by radical93 Saturday, April 03, 2010 5:50 AM Added Question...
    Saturday, April 03, 2010 5:21 AM
  • There are some confusing answers in your post.

    > 1. The Default Domain Policy is Enabled - Yes, all of the entry at Password Policy - Not Defined.   

    >  2. When you look a the Default Domain Policy in GPMC on a DC, the "Passwords must meet complexity requirements" is Disabled - Yes, all of

     > the entry at Password Policy - Not Defined.

    In 1 you state that all of the Password Polices in the Default Domain Policy are configured as Not Defined yet in 2 you state that Passwords must meet complexity requirements is Disabled. Which is correct?

    You also have a problem with Group Policy application on your computer:

      Applied Group Policy Objects
        -----------------------------
            Local Group Policy

    You should also be seeing that the Default Domain Policy is being applied here. You need to figure out why the Default Domain Policy GPO isn't being applied to this computer. My guess is that someone has modified the permissions on the GPO.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Saturday, April 03, 2010 6:30 AM
  • Another odd thing from your posted results is that the computer on which you ran gpresult is not a member of the Domain Computers group.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Saturday, April 03, 2010 6:52 AM
  • You should also be seeing that the Default Domain Policy is being applied here. You need to figure out why the Default Domain Policy GPO isn't being applied to this computer. My guess is that someone has modified the permissions on the GPO.

     


    Paul Adare CTO IdentIT Inc. ILM MVP


    Or you've got Group Policy being blocked at the OU which contains the account for the computer in question.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Saturday, April 03, 2010 6:53 AM
  • Good Day Paul,

         1. The Default Domain Policy is Enabled - Yes, all of the entry at Password Policy - Not Defined, At DC GPMC expand the Group Policy Objects, then you will see the "Default Domain Policy", then right click, then GPO Status, then "Enabled".  And when you edit this Default Domain Policy, expand Computer Configuation, expand Windows Settings, expand Security Settings, expand Account Policies, then Password Policy, all are there is "Not Defined".  Same as when you go to Control Panel, Administrative Tools, Domain Security Policy when you modify it will modify also on the "Default Domain Policy" and also it will modify all across member servers.

         All Entry of Password Policy below:

         Policy                                                                    Security Settings

         Enforce Password History                                        Not defined

         Maximum Password Age                                          Not defined

         Minimum Password Age                                           Not defined

         Minimum Password Length                                       Not defined

         Password Must Meet Complexity Requirements          Not defined

         Store Password Using Reversible Encryption              Not defined

         2. When you look a the Default Domain Policy in GPMC on a DC, the "Passwords must meet complexity requirements" is Disabled - Yes, all of the entry at Password Policy - Not Defined, which is also the same my answer at No. 1.

         You should also be seeing that the Default Domain Policy is being applied here. - Yes, it should be but why on previous question if I have a higher order of precedence that could be taking priority over the Default Domain Policy settings but I don't have, it is "Enabled".  And it should be applied because based on my previous question below:

         Default Domain Security Settings: You use this interface to set security policies for all computers in a domain. These settings override the Local Computer Policy settings for domain members if there is a conflict between the two. This interface is accessed via the Group Policy tab in the Properties of the domain node in Active Directory Users and Computers (Administrative Tools menu).  With this link:  http://www.windowsecurity.com/articles/Understanding-Roles-Server-2003-Security-Policies.html.

         Is that still confusing or the question is confusing?

         Is still I wonder is that a nature?

         Is in nature that when you set all the entry at Password Policy on the first time to be enabled or defined once you build Domain Controller with Default Domain Policy Settings you cannot change it, modify it to set "Not Defined" it will be forever defined and enabled.

         Any related links, explanations, suggestions, clarifications, recommendations it will be a great help.

         Thanks and Regards,

         Cheers...

    • Edited by radical93 Saturday, April 03, 2010 7:32 AM Added Information...
    Saturday, April 03, 2010 7:04 AM
  • Ok, so first of all Not Defined is not the same thing as Disabled. Not Defined means that this setting will be ignored and whatever setting is currently enabled is the one that will be applied. If you want to disable the password complexity setting then you need to change Password Must Meet Complexity Requirements from Not Defined to Disabled.

    Secondly, in order to affect domain accounts, Password policy must be set at the domain level. Setting Password policy in a GPO at any location other than the domain level will only affect local user accounts on computers to which that GPO applies. So, to correct the problem on the workstation in question, you're either going to have to change the Default Domain Policy GPO, or a custom GPO that is linked to the domain.

    Finally, until you figure out why the Default Domain Policy GPO is not being applied to this computer, nothing is going to help you. Once you get the Default Domain Policy GPO to apply to this computer, you can then set the complexity setting to Disabled.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Saturday, April 03, 2010 7:19 AM
  • Good Day Paul,

         The Computer is a member of Domain Computers which I accidentally erase for not showing you my real identity here is the gpresult again see below:

         And also you can see that the computers are members of Domain Computer Group at "CN=OffcenPC2,CN=Computers,DC=mydomain,DC=com which is stated below:

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 4/3/2010 at 7:08:53 AM


    RSOP results for CENTRAL\offcen2 on OffcenPC2 : Logging Mode
    -------------------------------------------------------

    OS Type:                     Microsoft Windows XP Professional
    OS Configuration:            Member Workstation
    OS Version:                  5.1.2600
    Domain Name:                 CENTRAL
    Domain Type:                 Windows 2000
    Site Name:                   CENTRAL
    Roaming Profile:            
    Local Profile:               C:\Documents and Settings\offcen2
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=OffcenPC2,CN=Computers,DC=mydomain,DC=com
        Last time Group Policy was applied: 4/3/2010 at 6:53:59 AM
        Group Policy was applied from:      server1.mydomain.com
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Local Group Policy

        The computer is a part of the following security groups:
        --------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            Domain Computers
            Offcen
           

    USER SETTINGS
    --------------
        CN=Office_Center_2,OU=Offcen,OU=OFS2,DC=mydomain,DC=com
        Last time Group Policy was applied: 4/3/2010 at 7:00:17 AM
        Group Policy was applied from:      server1.mydomain.com
        Group Policy slow link threshold:   0 kbps

        Applied Group Policy Objects
        -----------------------------
            Office_Center2_Policy
            Local Group Policy

        The user is a part of the following security groups:
        ----------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            LOCAL
            Offcen

    • Edited by radical93 Saturday, April 03, 2010 7:35 AM Added Information...
    Saturday, April 03, 2010 7:26 AM
  • Good Day Paul,

         Also in my Group Policy in specific OU all entry at Password Policy are all "Not Defined", but all other Group Policy Settings working fine like Software Installation using .MSI, prevent changing wallpaper, Active Desktop Wallpaper, etc.

    Saturday, April 03, 2010 7:31 AM
  • Good Day Paul,

         But I have another testing which I have a found and I have added Default Domain Policy and Computer for the specific OU which the result on gpupdate the Default Domain Policy appears at User Configuration and Computer Configuration.  Please feel free to see the result below:

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 4/3/2010 at 1:43:02 PM


    RSOP results for CENTRAL\offcen2 on OffcenPC2 : Logging Mode
    -------------------------------------------------------

    OS Type:                     Microsoft Windows XP Professional
    OS Configuration:            Member Workstation
    OS Version:                  5.1.2600
    Domain Name:                 CENTRAL
    Domain Type:                 Windows 2000
    Site Name:                   CENTRAL
    Roaming Profile:            
    Local Profile:               C:\Documents and Settings\offcen2
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=OffcenPC2,CN=Computers,DC=mydomain,DC=com
        Last time Group Policy was applied: 4/3/2010 at 1:20:27 PM
        Group Policy was applied from:      server1.mydomain.com
        Group Policy slow link threshold:   500 kbps

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Local Group Policy

        The following GPOs were not applied because they were filtered out
        ------------------------------------------------------------------
            Office_Center2_Policy
                  Filtering:  Denied (Security)

        The computer is a part of the following security groups:
        --------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            OffcenPC2$
            Domain Computers
            Offcen
           

    USER SETTINGS
    --------------
        CN=Office_Center_2,OU=Offcen,OU=OFS2,DC=mydomain,DC=com
        Last time Group Policy was applied: 4/3/2010 at 1:31:18 PM
        Group Policy was applied from:      server1.mydomain.com
        Group Policy slow link threshold:   0 kbps

        Applied Group Policy Objects
        -----------------------------
            Office_Center2_Policy
            Default Domain Policy
            Local Group Policy

        The user is a part of the following security groups:
        ----------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            LOCAL
            Offcen 

         Windows XP Professional Edition:

    "The password supplied does not meet the minimum complexity requirements.  Please select another password that meets all of the following criteria: is at least 7 characters; has not been used in the previous 24 passwords; must not have been changed within the last 1 days; does not contain your account or full name; contains at least three of the following four character groups: English uppercase characters (A through Z); English lowercase characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !,$,#,%). Type a password which meets these requirements in both text boxes."

         Windows Vista Business Edition:

    "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

         Same this happend all entry at Password Policy set as "Not Defined" or "Disabled" still have a message above, since I set two user one for Windows XP, and one for Windows Vista that "User must change password at next logon"

         All I wanted to know on how this happend, but based on my overall research and observations, testing I have found that there is a new features on Group Policy of Windows Server 2008 and Windows Vista Managing Group Policy when it regards on applying Default Domain Policy and Local Group Policy there is a entry at Computer Configuration, Administrative Templates, System, Group Policy, then you will see the "Turn off Local Group Policy Object Processing".

         Can we have a version of ADM with the new ADMX - Group Policy to be able to add the "Turn off Local Group Policy Object Processing", for Windows Server 2003 ADM files.

         Any related links, explanations, suggestions, clarifications, recommendations.

         Thanks and Regards,

         Cheers...

    Saturday, April 03, 2010 10:56 AM
  • You should read up on Group Policy processing on Technet (preferably in whatever your native language is) as you seem to have a basic lack of understanding as to how it works, especially when it comes to Password policy.

    As I posted in another post, in order to affect domain accounts, Password policy must be set at the domain level. Setting it anywhere else will affect local accounts, but will have no impact on domain accounts.

    If you're still getting those messages when trying to change or set a password on a domain account, then you've got a problem somewhere with policy at the domain level.

    You need to run rsop.msc and confirm that under Computer Configuration/Windows Settings/Security Settings/Password Policy that every setting you don't want enforced is set to Disabled and that the Source GPO is set at the domain level. To simplify your troubleshooting, use the Defualt Domain Policy and make sure nothing else is configured at the domain level.

    Also, are you sure that you're testing with domain accounts and not local accounts? There's no way to create a user for XP or a user for Vista. Users are users are users at the domain level.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Saturday, April 03, 2010 11:31 AM
  • Just to add to Paul's answer. As stated, password policies MUST be configured *once* at domain level. Also make sure if this policy is *NOT* blocked under Domain Controllers container.
    http://www.sysadmins.lv
    Saturday, April 03, 2010 1:55 PM
  • Just to add one last bit of info to Paul & Vadim's posts, if you need to add more than one password policy on a single domain then it is technically possible.

    You would need to create multiple policies at the domain level with the settings required & then security filter each of them to get the settings you want for each particular scenario. This isn't generally considered best practise as it can get quite confusing, but nevertheless it works!

    Also, as I said at the start, everything you need to know on this subject is freely available on technet here...

    http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en

    I'm sorry that collectiveley we couldn't resolve the issue you're experiencing.

    Best regards

    Douks

     

    • Edited by Douks Saturday, April 03, 2010 6:29 PM
    Saturday, April 03, 2010 6:25 PM
  • while domain functional level is Windows Server 2003 or lower this is not possible. Because there is one additonal requirement (as I sayed) — password policy MUST be inherited to Domain Controller container. However for particular policy setting only one winning GPO may exist.
    http://www.sysadmins.lv
    • Marked as answer by radical93 Sunday, April 04, 2010 2:21 AM
    Saturday, April 03, 2010 6:28 PM