Complex Password policy not defined

[MattS]

Here's a really dumb question:

AD requires complex passwords for all new passwords.
When I look at GPOs I cannot find this setting at all.
The default domain GPO has this policy set at "Not
Defined." At first I thought this had the same effect as
Disabled. However, I noticed in a lot of documentation
that this option out of the box is "disabled."

IS "Not Defined" the same as disabled for complex
passwords? Or does it simply mean, that the policy is
enabled, and using "default options: ie, password length
and characters." Thanks.

 

[Buz [MSFT]]

Hello Matt,

You are correct "Not Defined" can be descibed as "This is not currently
being defined via group policy so whatever is set locally is being used"
Disabled would mean "This policy is being defined as disabled" Also
password polices are only applied at the domain level.

More info:

Passwords must meet complexity requirements of the installed password filter
(GPO):
- Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

Description: Determines whether passwords must meet complexity requirements.
By default, this setting is disabled in the Default Domain Group Policy
object
(GPO) and in the local security policy of workstations and servers. If this
policy
is enabled, then passwords must meet the minimum requirements described in
the
Notes section.

Notes:
The default password filter (passfilt.dll) included with Windows 2000
requires that
a password:
- Does not contain all or part of the user's account name
- Is at least six characters in length
- Contains characters from three of the following four categories:
- English upper case characters (A..Z)
- English lower case characters (a..z)
- Base 10 digits (0..9)
- Non-alphanumeric (For example, !,$#,%)
Complexity requirements are enforced upon password change or creation.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Gary Mudgett [MSFT]]

To address this a little more.

You do not want to have any Password policies "not defined" in the Default
Domain Policy. They need to defined or disabled for them to work correctly.
With those set to Not Defined, the domain controllers will use the last
defined setting. In your case the Require Password Complexity was defined
at some point and then set to Not Defined so the domain controllers have
kept the password complexity requirement.

--
--
Gary Mudgett, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.