Password Policy

[Guest]

I have been trying to set up the Password Policy for a few days now, but I
just can’t get it to work. I’ll just explain what I’m doing and maybe someone
can give me some pointers.

When I right click on our Domain in AD Users and Computers, Click Properties
and then select the Group Policy tab, I only have Default Domain Policy.

First of all, should I be able to change settings in this Policy, like when
I edit it, go into Computer Configuration, Windows Setting, Security
Settings. Should I find the Account Policies – Password Policy in there or is
the Default Domain Policy not for these types of things. I can also not
expand the Administrative Templates. I am thinking that b/c this is a Default
Policy, I am not able to change it. Or could it be that I do not have the
permissions to change it.

Secondly, in the Group Policy tab, I click New and create a new Policy
called Password Policy. I edit it and go to Computer Configuration, Windows
Settings, Security Settings, Account Policies and in Password Policy I change
all the Setting to what I want. When I go to a test user created in the Users
OU, I set the Account to change Password at next logon. However, when I log
in as this User, I can change the Password to 123 or anything else. I also
try and change the Password for a user I created in a OU I created manually
but still no Policy enforcement.

This whole thing is driving me crazy. If anyone could just help me and tell
me where to set this Password Policy, and in what way.

Any help would be much Appreciated.

Thanks

 

[Steven L Umbach]

The Domain Security Policy is part of the default domain Group Policy. The
Domain Security Policy is a subset of computer configuration in the default
domain GPO. Can you open Domain Security Policy. If you can make your
changes to password/account policy there. You said that you created a new
GPO for the domain container. If that is the case, the GPO at the top of the
list is the GPO that has highest priority and if you set password/account
policy in that GPO it will override defined settings for the default GPO.

Common problems for not being able to configure Group Policy include
incorrect dns configuration in the domain and for password/account policy in
particular, "block inheritance" must not be enabled on the domain controller
container. Also verify that the default domain GPO is linked to the domain
container, and that it is enabled for at least computer configuration. Check
Event Viewer for any pertinent error messages and run the support tools
netdiag and dcdiag on the domain controllers to see if they report any
networking or configuration problems. Keep in mind that changes to domain
policy do not propagate immediately and running [ secedit /refreshpolicy
machine_policy /enforce ] will speed it up. The command [ net accounts ] on
the domain controller is a quick way to see how the password policy for the
domain is configured. The link below on Active Directory dns FAQ should be
reviewed to make sure your dns is configured correctly for your domain. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -- AD
dns FAQ.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
and how to install support tools.