none
Granular Password setting error RRS feed

  • General discussion

  •  

    i try to use Granular Password Setting in windows server 2008. i did all the
    necessary configuration in ADSI Edit.but at the end of create object wizard.i
    get this error :

    Operation failed. error code: 0x20e7
    The modification was not permitted for security reasons.
    000020E7Tongue TiedvcErr: DSID-03050681,problem 5003
    (WILL_NOT_PERFORM),data 0

    Friday, April 25, 2008 11:03 AM

All replies

  • Check the formats of your values and that the times doesn't overlap.

     

    Powergui has a tool for managing FGPP's too: http://powergui.org/entry.jspa?externalID=882&categoryID=46

    Friday, April 25, 2008 2:37 PM
    Moderator
  • Hello,

    same problem on my server. Values are correct and the times doesn't overlap.

    Got any answer?

    Greetings,
    Eric
    Monday, June 16, 2008 10:29 AM
  • Download the FGPP-tool from either http://www.specopssoft.com/wiki/index.php/SpecopsPasswordPolicybasic/SpecopsPasswordPolicybasic/ or http://blogs.chrisse.se/blogs/chrisse/pages/fine-grain-password-policy-tool.aspx which will let you configure a FGPP without having to use ADSI-edit.
    Technet Forums Moderator | Solution Specialist | Ask The Experts IT-forum
    Tuesday, June 17, 2008 3:24 PM
    Moderator
  • The Tool from Specops worked fine for me! Thank you very much.
    Wednesday, June 18, 2008 6:45 AM
  • I came across this problem in a Microsoft e-learning lab. I made sure to use the correct values and the times do not overlap. Of course, it's the first one I've tried to do since I just got the subscription. Unfortunately, in a Microsoft Lab you can't download and install software. They don't even allow you to follow the help links to their own domains... Guess I'll just have to skip that one... :( So far I can see why 2008 is so great!
    Friday, January 9, 2009 3:31 AM
  • Howdie!

    Can you share the exact values you tried to put into the fields? The error above gets thrown either when AD's internal functions can't parse the value to a DS friendly format or the times to overlap somehow. You may want to share your values so we can validate them.

    cheers,

    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Friday, January 9, 2009 7:18 AM
  • Let me add another great PSO-mgmt tool here, it's PSOMgr from joe:
    http://www.joeware.net - it's command line based and lets you create and edit your PSOs - even shows you the resultant PSO for a user if I remember correctly.

    cheers,

    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Friday, January 9, 2009 7:20 AM
  • Hi all,

    I had the same problem in my lab.
    The fact that I used 0:00:00:00 or 0 (which translates to "None") for the attribute "msDS-LockoutDuration" caused the same error.
    When I used another value like 1:00:00:00 the PSO was created without the error.
    I cannot change the value to zero after the PSO is changed because than the same error will show.

    no solution there.....

    greets,
    Andre
    Saturday, February 7, 2009 12:55 PM
  • We had the same issue and found that the msDS-LockoutObservationWindow could not be longer than the msDS-LockoutDuration.  Also the msDS-MaximumPasswordAge cannot be set to 00:00:00:00
    Wednesday, March 18, 2009 11:21 PM
  • I had the same problem. When entering a zeo value or 00:00:00:00 use "(never)".
    System Administrator
    Sunday, July 12, 2009 2:13 AM
  • Yeah, creating PSO with ADSIEdit has a few caveats as it doesn't come up with good error messages if something went wrong. I'd suggest you look into joe's PSOMgr command line tool: http://www.joeware.net/freetools/tools/psomgr/index.htm - it is free and should be easier to handle than ADSIEdit.

    Cheers,
    Florian
    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Sunday, July 12, 2009 7:06 PM
  • Hi All,

     

    I have tried the same and got the same error Operation failed. error code: 0x20e7

     

    I have done some research and the solution is please upgrade your domain funcational level and reboot your DC once and try again.

     

    I hope it will work ....:)

     

    Vishwa (MCITP)

    Tuesday, June 15, 2010 11:03 AM
  • What version of AD are you using and what is the DFL and FFL?

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009
    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 15, 2010 12:31 PM
    Moderator
  • Paul,

    I got the same error as per above. Since you aske dabout the DFL and FFL, this happens on a AD domain that has:

    Domain Functional Level: Windows 2008

    Forest Functional Level: Windows 2008

     

    Thanks

    Thursday, September 29, 2011 2:33 PM
  • i try to use Granular Password Setting in windows server 2008. i did all the
    necessary configuration in ADSI Edit.but at the end of create object wizard.i
    get this error :

    Operation failed. error code: 0x20e7
    The modification was not permitted for security reasons.
    000020E7Tongue TiedvcErr: DSID-03050681,problem 5003
    (WILL_NOT_PERFORM),data 0

    This is not related to security, but to inconsistent values.

    msDS-LockoutDuration must be equal or greater than msDS-ObservationWindow!

    Think logically, you cannot unlock (msDS-LockoutDuration) an account BEFORE the system resets the duration period (msDS-ObservationWindow) of unsuccessful logons.

    -

    Alexey,

    MCITP, MCT

    Thursday, October 13, 2011 9:32 AM
  • This is not related to security, but to inconsistent values.

    msDS-LockoutDuration must be equal or greater than msDS-ObservationWindow!

    Think logically, you cannot unlock (msDS-LockoutDuration) an account BEFORE the system resets the duration period (msDS-ObservationWindow) of unsuccessful logons.

    -

    Alexey,

    MCITP, MCT

    Thank you for explaining this! alot of previous answers of "go and get another utility", do not actually help people to learn why they have the issue in the first place.
    • Edited by dcraig1986 Monday, December 12, 2011 8:51 PM removed second embedded quote
    Monday, December 12, 2011 8:50 PM
  • The problem is that you are trying to set an attribute value to 0 (zero) for which that value is not allowed.  For example, msDS-MaximumPasswordAge cannot be set to 0 (zero).  This is what the (WILL_NOT_PERFORM),data 0 part of your error message refers to.  See this link for allowed values - http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspx


    • Edited by dbowers Thursday, February 2, 2012 7:02 PM
    Thursday, February 2, 2012 6:56 PM
  • Once I manually set the root domain attributes manually - pwdProperties. With ADSIEDIT on properties I changed my dc=domain,dc=com attribute from 0 to 1 (0x1 Complex). I did that because my Default Domain Policy was not working and this was the only way I figure out, without using the dcgpofix. 

    Another thing. Can you create a PSO with high security for example:

    minpwdlen:8, minpwd: 1:00:00:00, maxpwd: 42:00:00:00, history:24, complex: true, lockout:5,lockoutdur:0:01:00:00, lockoutcounter:0:01:00:00, reversible:false,.... Try this and tell us. You can also check the root domain properties with attribute editor, and check to see anything.

    I also discovered that you can use "(never)" without quotes on the maxiumpasswordduration.

    Gustavo de Freitas Alves

    Hepta Tecnologia e Informática


    Att, Gustavo de Freitas Alves +55 61 3961-7777begin_of_the_skype_highlighting            +55 61 3961-7777      end_of_the_skype_highlightingbegin_of_the_skype_highlighting            +55 61 3961-7777      end_of_the_skype_highlighting gustavo@hepta.com.br



    Tuesday, June 12, 2012 6:42 PM
  • Thank you :), that was the mistake I did.
    Sunday, November 11, 2012 6:13 AM
  • I had same problem in adsiedit with msDS-MaximumPasswordAge set to 00:00:00:00.

    When I changed that to 42:00:00:00 it worked.

    Wonder why the max pwd cannot be set to none or zero?

    Friday, July 12, 2013 10:25 AM
  • new links are:

    http://jorgequestforknowledge.wordpress.com/2007/08/09/windows-server-2008-fine-grained-password-policies/

    http://jorgequestforknowledge.wordpress.com/2007/09/11/determining-the-effective-pso-for-a-user/


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    Friday, July 12, 2013 4:34 PM
    Moderator
  • msDS-MaximumPasswordAge should be set to (never), or the duration (example 0:00:30:00)

    msDS-MinimumPasswordAge should be set to: (none), or the duration (example 0:00:30:00)

    if you set the maximum to (none), it will accept it during the wizard, but it will give you error. same if you set the minimum to (never)

    Wednesday, October 30, 2013 5:34 PM
  • See the value as an example.

    Expanding base 'CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com'...
    Getting 1 entries:
    Dn: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com
    cn: biztest;
    distinguishedName: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com;
    dSCorePropagationData: 0x0 = (  );
    instanceType: 0x4 = ( WRITE );
    msDS-LockoutDuration: 0:00:30:00;
    msDS-LockoutObservationWindow: 0:00:30:00;
    msDS-LockoutThreshold: 10;
    msDS-MaximumPasswordAge: 14:00:00:00;
    msDS-MinimumPasswordAge: 1:00:00:00;
    msDS-MinimumPasswordLength: 12;
    msDS-PasswordComplexityEnabled: TRUE;
    msDS-PasswordHistoryLength: 14;
    msDS-PasswordReversibleEncryptionEnabled: FALSE;
    msDS-PasswordSettingsPrecedence: 1;
    msDS-PSOAppliesTo: CN=nor,CN=Users,DC=gs,DC=com;
    name: biztest;
    objectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=gs,DC=com;
    objectClass (2): top; msDS-PasswordSettings;
    objectGUID: a542fe42-f9d8-44a2-9f2b-905a3dc83f48;
    uSNChanged: 32931;
    uSNCreated: 32927;
    whenChanged: 12/7/2012 6:35:56 PM India Standard Time;
    whenCreated: 12/7/2012 6:30:30 PM India Standard Time;

    http://social.technet.microsoft.com/wiki/contents/articles/4627.ad-ds-fine-grained-password-policies.aspx

    -Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Thursday, October 31, 2013 4:00 AM
  • Can anyone change the tread type?

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Thursday, October 31, 2013 4:17 AM
  • To set the msDS-MaximumPasswordAge value to an effective value of zero, use the value -9223372036854775808 (not 0).

    Per TechNet (Creating a PSO-->Creativng a PSO using ADSI Edit-->Step #11 ... look for the table as it lists the syntax and values for all of the needed fields:

    AD DS Fine-Grained Password and Account Lockout Policy Step-by_step Guide

    This solved it for me.

    I'm guessing this information was not here a few years ago.

    Tuesday, June 16, 2015 6:58 PM
  • If you do not configure the Lockout Duration to be greater than or equal to the Observation Window you will receive an error on completion Operation failed. Error code: 0x20e7 The modification was not permitted for security reasons. 000020E7: SvcErr: DSID-030506C3, problem 5003 (WILL_NOT_PERFORM), data 0 which can be resolved by backing up through the wizard and modifying the Lockout Duration time to be greater than or equal to the Observation Window

    http://serverville.blogspot.com/2011/12/implementing-fine-grainied-password.html


    Regards, Md Ehteshamuddin Khan All the opinions expressed here is mine. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Wednesday, October 7, 2015 9:34 AM
  • Hi

    If you do not configure the Lockout Duration to be greater than or equal to the Observation Window you will receive an error on completion Operation failed. Error code: 0x20e7 The modification was not permitted for security reasons. 000020E7: SvcErr: DSID-030506C3, problem 5003 (WILL_NOT_PERFORM), data 0 which can be resolved by backing up through the wizard and modifying the Lockout Duration time to be greater than or equal to the Observation Window

    http://serverville.blogspot.com/2011/12/implementing-fine-grainied-password.html


    Regards, Md Ehteshamuddin Khan All the opinions expressed here is mine. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Wednesday, October 7, 2015 10:28 AM
  • When using the PowerShell command New-ADFineGrainedPasswordPolicy it can be confusing if you want to either have a PSO that does not lockout accounts or one that permanently locks out an account until an admin unlocks it. In these two scenarios you are setting the LockoutDuration value and the LockoutObservationWindow value. In the case of making a PSO that does not lockout accounts these two parameters would look like this:

    -LockoutDuration "00:00:00"  -LockoutObservationWindow "00:00:00"   

    In this case the LockoutDuration and LockoutObservationWindow are both actually set to (None) if you look their values in ADSIEdit.  Note that you should also set LockoutTheshold to zero by adding the parameter like this:

    -LockoutThreshold 0

    For the scenario where you want an account to stay locked out until an admin unlocks it. You would need to set the LockoutDuration like this:

    -LockoutDuration (-9223372036854775808) 

    This sets the actual value to (never) if you look at it in ADSIEdit, basically "never" unlock the account.

    As Alexey says, in all cases the LockoutDuration must be equal to or greater than the LockoutObservationWindow.

    Strangely enough if you use the Get-ADFineGrainedPasswordPolicy commandlet to see the settings for a given PSO, the LockoutDuration value will show as 00:00:00 for both (none) and (never) as seen in ADSIEdit, this is not good since they are distinctly different values. FYI my testing was done with Powershell version 2 on Windows 2008 R2. Maybe Microsoft has fixed the implementation of the PowerShell fine grained password policy commands in later versions? One can hope...

    Garrett

    Wednesday, June 22, 2016 6:18 PM