Password complexity policy not being enforced

[Hank Arnold]

I have a W2K AD setup with two DC's. I've set up the password policy (under
Computer Configuration\Windows Settings\Security Settings\Account Policies).
I've set the following:

minimum of 8 characters
Expires after 60 days
Minimum password age is 2 days
6 passwords are remembered
Complexity Requirements are enforced
Account is locked after 6 attempts
Account is locked for 120 minutes
Account lockout counter is reset after 120 minutes

My problem is that the complexity setting is not being enforced. Nor is the
length of the password. It will not allow reusing a password immediately
after being set. Any ideas on what I'm doing wrong?

 

[Hank Arnold]

I also found that the account lockout feature isn't being enforced, either.
After 6 attempts, the logon screen disappears and the user is able to try 6
more times.

BTW, the logon are onto a Citrix client (using TS).....

 

[Clayton Baker]

Hank
Are you appling this at the root of your Domain in the
Default Domain Policy?
If not...it will not work!
The password policy needs to be applied in the Default
Domain Policy, and will not work any where else.
I have had to do this just the other day due to Sarbanes
Oxley....and the users are still calling for help...lol

 

[Cary Shultz [A.D. MVP]]

Clayton,

While that is correct I find that applying this in the Default Security
Policy is the best place!

And, to go down a very worn path that typically causes more confusion than
brings clarity - I have to say that you can gladly link a password policy to
OUs. However, and this is the big difference, this password policy would
have no affect whatsoever on the domain user account objects. It would,
though, affect any local user account that is logging onto a computer
account object that is directly located in the OU to which the password
policy is linked...

Cary

 

[Hank Arnold]

I believe so.... I did the following:

- Open AD Users and Computers
- Right click on the domain name (HOSPICE.LOCAL)
- Open properties
- Click on the Group Policy tab
- Highlight the "Default Domain Policy (only one)
- Click on Edit
- Open
Computer Configuration
Windows Settings
Security Settings
Account Policies

I made all the changes there..... Any ideas?

TIA,
Hank

 

[Guest]

Another thing you might want to look at is in the users AD
account properties under the Account tab, make sure that
the check box that says "Password never Expires" is not
selected.
We used this option to keep us from having to change our
system account passwords like Domain Admins and such...
in your case if it is selected the policy will seem as if
it is not appling.

 

[Guest]

Cary
You are referring to the Security settings under the
Default Doamin Policy?
If so that is also my reference...
As per linking GP's do you know of reference material to
doing so?

 

[Cary Shultz [A.D. MVP]]

Well, I am actually referring to the Domain Security Policy. If you go to
Start | Programs | Administrative Tools you will see that there are many
things. One of which is the Domain Security Policy. I like to use that
one. You are correct, though, in that it is effectively the Security
settings...

Cary

 

[Cary Shultz [A.D. MVP]]

And while this is possible ( and done in all the environments where I help
out - not my decision though ) this completely defeats the purpose of
having a password policy. If the 'important' administrative accounts do not
have to ever change then you have effectively created a very weak link in
your defense....

Cary

 

[Clayton]

Cary
We use several accounts (users accounts) that run services
within our system like our ERP system through the use of
Terminal Services, as well as other DCOM authentication,
changing those would have inadvertently shut us down, but
yes I do agree with you on the Administrative accounts
which at this time only 2 people know those passwords (me
and my boss) which (unfortunately for me) are 10
characters in length utilizing all four of the criteria
Upper and Lower case, numbers and symbols...I am not
saying that no one can crack it but if they do, then they
have far too much time on their hands...also we on a
regular basis change this one a month which exceeds the
password policy I have put into place here which is at 120
days...
But your concern is noted and as most of us (IT people)
know our jobs are a constant 24/7, so I try to be on top
as much as I can....but have lots more to learn...

 

[Hank Arnold]

This is just too wierd!!

I got there using your method (Start | Programs | Administrative Tools). I
get the expected items, but they are "undefined". If I go there using the
method I used before (from the AD Users and Computers console), I see the
settings I changed them to!! Why am I seeing different Security Settings??

To make things worse, If I go to my second DC using the Domain Security
Policy. I get the settings I see when I go through the AD Users and
Computers console!!

User can still specify "un-complex" passwords and account is not locked out.

Help! What is going on???

Hank

 

[Cary Shultz [A.D. MVP]]

Mssr. Hank,

Is there any problem with Active Directory Replication? If you create a
test user account object on one DC ( do not mail-enable it ) do you see that
user on the second DC ( after the appropriate amount of time has passed for
AD Replication )? This would give you a good indication of AD Replication
problems. If you do not see the test user account object on the second DC
after enough time has passed then please take a look at the following MSKB
article:

http://support.microsoft.com/?id=249256

And, 'undefined' does not mean the same thing as 'disabled' ( or 'enabled'
for that matter ). What happens if you open up a command prompt and enter
net accounts? Do you get the same information on DC01 as on DC02? And what
information is it? The one from the Domain Security Policy?

C'mon, Hank! Let's fix this. I am tired of password policy problems ;-)

Cary

 

[Hank Arnold]

Nothing I can see.... The only problem see is occasionally I would create
an AD account on DC1 and if I tried to log on right away, I would sometimes
get an "account is disabled" message. Checking on DC2, it would show as
"disabled". If I waited long enough (5 minutes +), it would always log on. I
haven't seen any problems with users or computers replicating in a
reasonable amount of time. No one is having logon problems that I'm aware
of.

Here is the output from each DC. It doesn't match either one..... The
Domain Security or the AD drill down!!! Minimum password age (in both) is 7
days. Lockout threshold is 5 attempts......

I'll post more when I get to work...

DC2
===
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: 1
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: BACKUP

DC1:
====
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: 1
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.


I'll try what you suggested as soon as I get to work and we'll go from
there..... Thanks...............

 

[Hank Arnold]

Any more ideas?? I'm stuck here and we are on the hook to enable expired
passwords by the end of next month.

 

[Cary Shultz [A.D. MVP]]

I would suggest that on the DC that shows you 'undefined' that you change it
to enabled. Then see what the settings are. You have to understand that
setting things to 'undefined' does not wipe everything away. Whatever
setting were there will remain there. Setting it to 'disabled' would have
that effect! So, what do I mean? If you had a setting in a policy and you
did not want that setting anymore and you set that particular setting to
'undefined' it is still going to be in place! However, if you set it to
'disabled' then it will no longer be in place. This is what a lot of people
do not understand ( I know that I had a problem with this in the very
beginning! - and had to learn the hard way!!!! ).

It does indeed appear that both of the DCs have the same security settings.
That is a good thing. However, it is not what you are setting so there is a
problem ( and I went to College for four years to be able to come up with
that! ).

Are you setting this in the Domain Security Policy?

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Clayton,

Unfortunately there are not enough hours in a day or days in a week to stay
on top of all of this! There is just so much to this job!

But, we all manages somehow, don't we?

Cary

 

[Cary Shultz [A.D. MVP]]

Sorry, should have included that the settings that you are seeing ( from DC2
and DC1 ) are the default. This indicates that whatever you are setting is
not sticking. Again, ain't I a rocket scientist?

Cary

 

[Steven L Umbach]

Just to add to Cary's fine advice, make sure that block inheritance is not
enabled on the domain controller container. Additionally use the support
tool gpotool to see if Group Policy is being replicated and run dcdiag on
each domain controller to see if it reports a clean bill of health for each
dc. Dcdiag runs a number of tests that test such things as dns and
replication. Support tools are on the install cdrom in the support/tools
folder where you need to run setup there to install the set. --- Steve

 

[Hank Arnold]

Cary,

It get more interesting.... I set all the different Security Settings
(AD and Admin) to exactly the same settings for PW, Lockout and Kerberos.
All are either defined or disabled. Still no change in NET ACCOUNTS. I then
looked at the NET ACCOUNTS command and saw the ability to set the password
parameters. I set them all to what I wanted and, lo and behold, everyone is
the same!!! If I change one place, it shows up everywhere!!

Now, the only problem is that i don't have a lockout policy in force. The
security settings all say to lock out a 5 attempts for 30 minutes and reset
the counter after 30 minutes. However NET ACCOUNTS says that it is NEVER. Is
there a command prompt method to set it??

Here's the security settings and the NET ACCOUNTS settings (still the same
on both DCs)....

NET ACCOUNTS
Force user logoff how long after time expires?: Never
Minimum password age (days): 7
Maximum password age (days): 60
Minimum password length: 8
Length of password history maintained: 12
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30

SECURITY SETTINGS
=================
Account Lockuot Duration: 30 minutes
Account Lockout threshold: 5 Invalid attempts
REset Account Loclout counter: 30 minutes

TIA,
Hank Arnold

I would suggest that on the DC that shows you 'undefined' that you change
it
to enabled. Then see what the settings are. You have to understand that
setting things to 'undefined' does not wipe everything away. Whatever
setting were there will remain there. Setting it to 'disabled' would have
that effect! So, what do I mean? If you had a setting in a policy and
you
did not want that setting anymore and you set that particular setting to
'undefined' it is still going to be in place! However, if you set it to
'disabled' then it will no longer be in place. This is what a lot of
people
do not understand ( I know that I had a problem with this in the very
beginning! - and had to learn the hard way!!!! ).

It does indeed appear that both of the DCs have the same security
settings.
That is a good thing. However, it is not what you are setting so there is
a
problem ( and I went to College for four years to be able to come up with
that! ).

Are you setting this in the Domain Security Policy?

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Hank,

Good that Steve chimed in. I think that I overlooked this. dcdiag /c /v
would be a good thing to run. You might want to redirect that to a .txt
file so that you can search for errors. So, enter dcdiag /c /v >dcdiag.txt
at the command prompt. GPOTOOL and GPRESULT would also be a good thing to
check.

Cary