Answered by:
Default Domain Policy Change - not applying complex password - 2008 r2

-
Hi, I have been advised to change the Default Domain Policy. The main features are: minimum password length 8 characters.<o:p></o:p>
The updates policy should have: minimum password length 8 characters and complexity enabled.<o:p></o:p>
I have test up a test GPO and OU and attached the policy. The machine picks up the updates settings ok (ran gp results/wizard)<o:p></o:p>
When i press ctr-alt-delete and change the password it does not force the user to set a complex password. Is there any reason why this is not happening. Im assuming it would update to complex. Attached is the updates policy.Any help appreciated<o:p></o:p>
Thanks<o:p></o:p>
- Edited by The Futurist Thursday, July 07, 2016 10:38 AM amend
Question
Answers
-
Hi,
How did you configure FGPP?
Here are articles about how to configure FGPP for your reference.
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
Step 1: Create a PSO
https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
Step 2: Apply PSOs to Users and Global Security Groups
https://technet.microsoft.com/en-us/library/cc731589(v=ws.10).aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Jay GuModerator Thursday, July 21, 2016 8:00 AM
- Marked as answer by Jay GuModerator Saturday, July 23, 2016 11:29 AM
All replies
-
Hi,
Can you check if the policy is replicated to all the DC's in the domain? Also pull out the GPresult report on the PC to see if correct password policy is applied.
Worth a test to expire a test users password and try changing it to see if policy is working correctly.
Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer
-
Hi Jimmy, yes I have confirmed the machines has the updated settings (complexity).
I have pressed ctrl-alt-delete to change password (this should be sufficient to pick up the new policy right?), but still does not pick up the complexity setting.
Confused....:-(
M
-
I mean can you force a user to expire password or change password at next logon? Can you provide info on your environment what setup is it WIn2008R2/Win2003 or all 2012?
Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer
-
-
Hi mate, can you check if you dont have any conflicting GPO's with password policy enabled?
Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer
-
-
Tried blocking inheritance to rule out conflicts and what is the client OS?
Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer
-
Hi,
If I understand, you have a default domain policy and you try to add an other for other OU ?
You couldn't do it...
Only one GPO for password is authorized.
If you want to have other, on 2008R2 you need to have other domain. Else, you need to have one DC on 2012 or more and use fine grain password policy.
-
-
I did rename the Default Domain Policy to something else. Could that be the reason, although the machine picks up the updated settings?
Edit - looks like it can be renamed :-_
https://support.microsoft.com/en-us/kb/556025
- Edited by The Futurist Thursday, July 07, 2016 2:53 PM add
-
- Proposed as answer by Jay GuModerator Friday, July 08, 2016 5:18 AM
-
-
-
Hi,
Thanks for your post.
For domain accounts, there can be only one account policy per domain (except fine grain password policy). The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.
For more information, you could refer to the article below.
Account Policy Settings
https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
-
Hi all. We have decided to use fine grain password to achieve this, as a separate policy is now required for Domain Admin access.<o:p></o:p>
It still does not make sense how the Domain Computers did not use the complexity password setting although the test machines had picked up the GP settings. I ensured that all the info above was actioned on the DC/GP. Just pulling my hair out as to why this happened.<o:p></o:p>
Thanks for your help with this<o:p></o:p>
-
Hi,
How did you configure FGPP?
Here are articles about how to configure FGPP for your reference.
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
Step 1: Create a PSO
https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
Step 2: Apply PSOs to Users and Global Security Groups
https://technet.microsoft.com/en-us/library/cc731589(v=ws.10).aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Jay GuModerator Thursday, July 21, 2016 8:00 AM
- Marked as answer by Jay GuModerator Saturday, July 23, 2016 11:29 AM
-
Hi,
If the replies have resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.
Thank you.
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.