none
Default Domain Policy Change - not applying complex password - 2008 r2

    Question

  • Hi, I have been advised to change the Default Domain Policy. The main features are: minimum password length 8 characters.<o:p></o:p>

    The updates policy should have: minimum password length 8 characters and complexity enabled.<o:p></o:p>

    I have test up a test GPO and OU and attached the policy. The machine picks up the updates settings ok (ran gp results/wizard)<o:p></o:p>

    When i press ctr-alt-delete and change the password it does not force the user to set a complex password. Is there any reason why this is not happening. Im assuming it would update to complex. Attached is the updates policy.Any help appreciated<o:p></o:p>

    Thanks<o:p></o:p>



    • Edited by The Futurist Thursday, July 7, 2016 10:38 AM amend
    Thursday, July 7, 2016 10:16 AM

Answers

All replies

  • Hi,

    Can you check if the policy is replicated to all the DC's in the domain? Also pull out the GPresult report on the PC to see if correct password policy is applied.

    Worth a test to expire a test users password and try changing it to see if policy is working correctly.


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 7, 2016 10:43 AM
  • Hi Jimmy, yes I have confirmed the machines has the updated settings (complexity).

    I have pressed ctrl-alt-delete to change password (this should be sufficient to pick up the new policy right?), but still does not pick up the complexity setting.

    Confused....:-(

    M

    Thursday, July 7, 2016 11:39 AM
  • I mean can you force a user to expire password or change password at next logon? Can you provide info on your environment what setup is it WIn2008R2/Win2003 or all 2012?

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 7, 2016 11:43 AM
  • 2008R2

    Cheers

    Thursday, July 7, 2016 12:10 PM
  • Hi mate, can you check if you dont have any conflicting GPO's with password policy enabled?


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 7, 2016 12:40 PM
  • Hi,

     Yes I have created a separate OU at the top level (where no other GPOs are attached) and added the new Domain Policy to that OU, with test user/machine in there. 

    i have also ran a gp result/wizard. Very strange.

    Thursday, July 7, 2016 12:46 PM
  • Tried blocking inheritance to rule out conflicts and what is the client OS?

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 7, 2016 1:08 PM
  • Hi,

    If I understand, you have a default domain policy and you try to add an other for other OU ?

    You couldn't do it...

    Only one GPO for password is authorized.

    If you want to have other, on 2008R2 you need to have other domain. Else, you need to have one DC on 2012 or more and use fine grain password policy.

    Thursday, July 7, 2016 1:21 PM
  • > I have test up a test GPO and OU and attached the policy. The machine
    > picks up the updates settings ok (ran gp results/wizard)<o:p></o:p>
     
    Your account is a domain account, not a local account on this machine.
    So you MUST link your password GPO to the domain itself, not to an OU.
     
     
    Thursday, July 7, 2016 2:05 PM
  • I did rename the Default Domain Policy to something else. Could that be the reason, although the machine picks up the updated settings?

    Edit - looks like it can be renamed :-_
    https://support.microsoft.com/en-us/kb/556025


    Thursday, July 7, 2016 2:38 PM
  • > I did rename the Default Domain Policy to something else. Could that be
    > the reason, although the machine picks up the updated settings?
     
    No, names do not matter. To affect domain accounts, PW GPOs must be
    linked to the Domain itself and the PDC emulatur requires apply rights.
     
    Thursday, July 7, 2016 3:00 PM
  • Hi Martin , i can confirm that the PW GPO is linked to the domain

    I have googled this:PDC emulatur requires apply rights.

    How do i go about this part?

    Thanks

    Thursday, July 7, 2016 3:43 PM
  • > I have googled this:PDC emulatur requires apply rights.
     
    dsquery server -hasfsmo PDC
     
    On this server, run a RSoP report within GPMC to check the effective
    password GPO.
     
    Thursday, July 7, 2016 3:46 PM
  • Hi,

    Thanks for your post.

    For domain accounts, there can be only one account policy per domain (except fine grain password policy). The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

    For more information, you could refer to the article below.

    Account Policy Settings

    https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 8, 2016 5:23 AM
    Moderator
  • Hi all. We have decided to use fine grain password to achieve this, as a separate policy is now required for Domain Admin access.<o:p></o:p>

    It still does not make sense how the Domain Computers did not use the complexity password setting although the test machines had picked up the GP settings. I ensured that all the info above was actioned on the DC/GP. Just pulling my hair out as to why this happened.<o:p></o:p>

    Thanks for your help with this<o:p></o:p>

    Friday, July 8, 2016 10:18 AM
  • Hi,

    How did you configure FGPP?

    Here are articles about how to configure FGPP for your reference.

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

    Step 1: Create a PSO

    https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx

    Step 2: Apply PSOs to Users and Global Security Groups

    https://technet.microsoft.com/en-us/library/cc731589(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 8:19 AM
    Moderator
  • Hi,

    If the replies have resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 20, 2016 2:49 AM
    Moderator