none
gpo locked

    Question

  • computer is in a domain and has some setting locked with group policy for editing in gpedit, like "Password must meet complexity requirements". How can a local administrator of a computer unlock this setting ?

    Saturday, October 1, 2016 6:57 AM

Answers

  • Hi,

    Are there any updates?

    For password policy in domain, there is only one password policy(default domain policy) work in domain(Except FGPP).

    Here is an article below about account policy for your reference.

    Account Policies

    https://technet.microsoft.com/en-us/library/dd349793(v=ws.10).aspx

    In addition, if the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Jay GuModerator Wednesday, October 5, 2016 11:45 PM
    • Proposed as answer by Todd Heron Wednesday, October 12, 2016 11:46 PM
    • Marked as answer by Jay GuModerator Thursday, October 20, 2016 1:48 AM
    Wednesday, October 5, 2016 11:23 PM
    Moderator

All replies

  • When you are logging into an Active Directory domain, it is by default configured with a password policy which is linked at the domain level and therefore flows downwards to all OUs and containers.  A local administrator to a member computer of the domain will not be able to override the policy.

    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, October 1, 2016 11:37 AM
  • So, all or nothing? That sound unpractical! Thank you
    • Proposed as answer by Todd Heron Saturday, October 1, 2016 9:33 PM
    • Unproposed as answer by Todd Heron Saturday, October 1, 2016 9:34 PM
    Saturday, October 1, 2016 4:27 PM
  • You can create a fine-grained Password Policy which only targets specific users and will supersede the domain password policy, in a case such as this one.  AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    I will argue against your assertion that a single AD Password Policy is unpractical.  How would it be practical to have a bunch of different password policies affecting different users?  How do you enforce standards?  Who gets to determine what standards apply to whom?  If you were a government of financial institution, how would you intend to pass a security audit?  Just a little FYI.


    Best Regards, Todd Heron | Active Directory Consultant

    Sunday, October 2, 2016 2:49 PM
  • Hi,

    Are there any updates?

    For password policy in domain, there is only one password policy(default domain policy) work in domain(Except FGPP).

    Here is an article below about account policy for your reference.

    Account Policies

    https://technet.microsoft.com/en-us/library/dd349793(v=ws.10).aspx

    In addition, if the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Jay GuModerator Wednesday, October 5, 2016 11:45 PM
    • Proposed as answer by Todd Heron Wednesday, October 12, 2016 11:46 PM
    • Marked as answer by Jay GuModerator Thursday, October 20, 2016 1:48 AM
    Wednesday, October 5, 2016 11:23 PM
    Moderator
  • Hi,

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 13, 2016 12:45 AM
    Moderator