Sign in
 

none
Default Domain Policy Change - not applying complex password - 2008 r2

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, I have been advised to change the Default Domain Policy. The main features are: minimum password length 8 characters.<o:p></o:p>

    The updates policy should have: minimum password length 8 characters and complexity enabled.<o:p></o:p>

    I have test up a test GPO and OU and attached the policy. The machine picks up the updates settings ok (ran gp results/wizard)<o:p></o:p>

    When i press ctr-alt-delete and change the password it does not force the user to set a complex password. Is there any reason why this is not happening. Im assuming it would update to complex. Attached is the updates policy.Any help appreciated<o:p></o:p>

    Thanks<o:p></o:p>



    • Edited by The Futurist Thursday, July 07, 2016 10:38 AM amend
    Thursday, July 07, 2016 10:16 AM
    |

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Can you check if the policy is replicated to all the DC's in the domain? Also pull out the GPresult report on the PC to see if correct password policy is applied.

    Worth a test to expire a test users password and try changing it to see if policy is working correctly.

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 07, 2016 10:43 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jimmy, yes I have confirmed the machines has the updated settings (complexity).

    I have pressed ctrl-alt-delete to change password (this should be sufficient to pick up the new policy right?), but still does not pick up the complexity setting.

    Confused....:-(

    M

    Thursday, July 07, 2016 11:39 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    I mean can you force a user to expire password or change password at next logon? Can you provide info on your environment what setup is it WIn2008R2/Win2003 or all 2012?

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 07, 2016 11:43 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    2008R2

    Cheers

    Thursday, July 07, 2016 12:10 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi mate, can you check if you dont have any conflicting GPO's with password policy enabled?

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 07, 2016 12:40 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     Yes I have created a separate OU at the top level (where no other GPOs are attached) and added the new Domain Policy to that OU, with test user/machine in there. 

    i have also ran a gp result/wizard. Very strange.

    Thursday, July 07, 2016 12:46 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Tried blocking inheritance to rule out conflicts and what is the client OS?

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Thursday, July 07, 2016 1:08 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    If I understand, you have a default domain policy and you try to add an other for other OU ?

    You couldn't do it...

    Only one GPO for password is authorized.

    If you want to have other, on 2008R2 you need to have other domain. Else, you need to have one DC on 2012 or more and use fine grain password policy.

    Thursday, July 07, 2016 1:21 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > I have test up a test GPO and OU and attached the policy. The machine
    > picks up the updates settings ok (ran gp results/wizard)<o:p></o:p>
     
    Your account is a domain account, not a local account on this machine.
    So you MUST link your password GPO to the domain itself, not to an OU.
     
     
    Thursday, July 07, 2016 2:05 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    I did rename the Default Domain Policy to something else. Could that be the reason, although the machine picks up the updated settings?

    Edit - looks like it can be renamed :-_
    https://support.microsoft.com/en-us/kb/556025


    • Edited by The Futurist Thursday, July 07, 2016 2:53 PM add
    Thursday, July 07, 2016 2:38 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > I did rename the Default Domain Policy to something else. Could that be
    > the reason, although the machine picks up the updated settings?
     
    No, names do not matter. To affect domain accounts, PW GPOs must be
    linked to the Domain itself and the PDC emulatur requires apply rights.
     
    Thursday, July 07, 2016 3:00 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Martin , i can confirm that the PW GPO is linked to the domain

    I have googled this:PDC emulatur requires apply rights.

    How do i go about this part?

    Thanks

    Thursday, July 07, 2016 3:43 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > I have googled this:PDC emulatur requires apply rights.
     
    dsquery server -hasfsmo PDC
     
    On this server, run a RSoP report within GPMC to check the effective
    password GPO.
     
    Thursday, July 07, 2016 3:46 PM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    Thanks for your post.

    For domain accounts, there can be only one account policy per domain (except fine grain password policy). The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

    For more information, you could refer to the article below.

    Account Policy Settings

    https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx

    Best Regards,

    Jay

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 08, 2016 5:23 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all. We have decided to use fine grain password to achieve this, as a separate policy is now required for Domain Admin access.<o:p></o:p>

    It still does not make sense how the Domain Computers did not use the complexity password setting although the test machines had picked up the GP settings. I ensured that all the info above was actioned on the DC/GP. Just pulling my hair out as to why this happened.<o:p></o:p>

    Thanks for your help with this<o:p></o:p>

    Friday, July 08, 2016 10:18 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    How did you configure FGPP?

    Here are articles about how to configure FGPP for your reference.

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

    Step 1: Create a PSO

    https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx

    Step 2: Apply PSOs to Users and Global Security Groups

    https://technet.microsoft.com/en-us/library/cc731589(v=ws.10).aspx

    Best Regards,

    Jay

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 8:19 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    If the replies have resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 20, 2016 2:49 AM
    |
    Moderator