none
Enforcing password policy

    Question

  • Hi,

    Running 2012R2 AD Servers.   All our workstations appear to be using the password settings from The Default Domain Policy & not the GPO that sits below the default policy.   Everything appears to be linked correctly, and there is no issues with replication.   Is there something I can do to force the correct password policy is used.   I can see the policy is applied to the correct group of machines/users.  

    Regards,

    Thursday, March 16, 2017 10:13 AM

All replies

  • Hi,

    By default all the object in your AD will have the default domain policies which will have the password settings enabled by default. You can change the complexity as per your password requirement. If you are looking for Fine grained password kindly look at the article below.

    https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

    Thanks

    Syed Abdul Kadar M.


    Dont forget to mark as Answered if you found this post helpful.

    Thursday, March 16, 2017 10:19 AM
  • > All our workstations appear to be using the password settings from The Default Domain Policy & not the GPO that sits below the default policy.
     
    "Below" means "processed earlier". Last writer wins...
     
    Thursday, March 16, 2017 10:41 AM
  • Hi,

    We have a password GPO in place, which addresses complexity etc, but it does not seem to be being applied which is the problem facing just now.  It's just picking up the Domain default policy.

    Don't seem to be able to force it to use the GPO set-up.

    Thursday, March 16, 2017 10:49 AM
  • Dear,

    As per Microsoft recommendation you need to enable password and audit policies on default domain policy.

    You don't need to create a separate GPO for password policies until you need to have a fine grained password policy.

    Just disable the GPO which you have created and modify the Default domain policy as per the changes you need. It will get resolved.

    Thanks

    Syed Abdul Kadar M.


    Dont forget to mark as Answered if you found this post helpful.

    Thursday, March 16, 2017 10:54 AM
  • Hi,

    Appreciate getting back to me again, but as there 3 different users groups, that is the reason I am assuming it can't all be done from the default domain policy.

    Thursday, March 16, 2017 11:08 AM
  • Dear ,

    As I mentioned earlier you need to enable the fine grained password policy.

    https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

    Thanks

    Syed Abdul Kadar M.


    Dont forget to mark as Answered if you found this post helpful.

    Thursday, March 16, 2017 11:24 AM
  • Hi,

    yes, the additional fine grained gpo's are already set-up but not being applied for whatever reason,

    Thursday, March 16, 2017 12:32 PM
  • Hi,
    When using fine-grained password policies, we could use the following command to check what policy is being applied to a specific user:
    dsquery user -samid <username> |dsget user –effectivepso
    Alternatively, you could view the resultant Password Settings object (PSO) for a user object from Windows interface, please see:
    View a Resultant PSO for a User or a Global Security Group
    https://technet.microsoft.com/en-us/library/cc770848(v=ws.10).aspx
    And you could follow the article as below to enable and use Fine-Grained Password Policies in AD and see if the configuration is correctly set up in your domain:
    https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
    please note that The domain functional level must be Windows Server 2008 if we configure FGPP.
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, March 17, 2017 5:56 AM
    Moderator