Windows 2003 Password Policy Has a Mind of its Own.

[Kevin M. Saucier]

Hello,

I am having similar problems on both my production AD Domaind and my
Lab setup.

Production Domain:
We migrated out of a subdomain in one forest into our own new domain
in a new forest. I used the Group Policy Management Console (GPMC) to
migrate the existing group policies. The domain and forest are both
in Windows 2003 Native mode. Everything works fine, except for the
password policy. I have the policy set (on the Default Domain Policy)
for a 90 day expiration date with no complexity and 1 password
remembered. But, my users' passwords are expiring after 42 days. I
tested by creating a new user AD user while connected to the PDC,RDC,
and IM (same machine) and it didn't make any difference, so I don't
see a propagation problem. This has been going on for months.

Lab Domain:
I just built a new 2003 domain and promoted the server. Again, the
domain and forest are both in Windows 2003 Native mode. When I tried
to immediately create a new user account, it would not let me set the
user's password unless I used a complex password. I turned this all
off in the usual place on the Default Domain Policy and gave it a day
to make sure everything had taken. I then created the user again with
the same problem. After creating the user, I tried to set the
password to a basic password and it won't accept it.

I'm at a loss. Any ideas?

Thanks in advance,

Kevin M. Saucier

 

[Buz [MSFT]]

Hello Kevin,

Here is some great information in regards to a possible cause for this
issue:

Block Policy Inheritance was checked on the Domain Controllers OU. When
changes to a domain account password are made they are made on a Domain
Controller. Since Password settings must be consistent Domain wide these
settings must be configured at the domain. In order for these domain
settings to be effective they must also be applied to the Domain
controllers. When a Domain password is changed the DC will adhere to the
last applied domain policy and any password settings therein. If Block
Policy is checked on the Domain Controllers OU and No Overide is not set on
the Domain Policy with the desired password settings the DC's will not
receive the password settings from the domain and the desired settings will
not be effective on Domain accounts.

For password settings that are configured in the domain to apply:

1.) Uncheck Block Policy Inheritance and let domain policy apply to domain
controllers
2.) Enable No Overide on the domain Policy so that it will apply to the DC's
even
though Block is checked.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Kevin M. Saucier]

Buz,

Just wanted to say thank you. That was exactly the problem. We have
Domain Controllers being blocked from regular GP's. I created a new
GP and set just the Password and Account Lockout settings and enforced
it.

That was driving me nuts.

Thanks again,

Kevin M. Saucier

 

[Buz [MSFT]]

Thanks for the update Kevin. I saw your post at some point and happened to
come across that info while looking for something completely different. I
had no idea it worked that way and I'll bet it is a somewhat common
ocurance.


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

Buz,

Just wanted to say thank you. That was exactly the problem. We have
Domain Controllers being blocked from regular GP's. I created a new
GP and set just the Password and Account Lockout settings and enforced
it.

That was driving me nuts.

Thanks again,

Kevin M. Saucier





"Buz [MSFT]" <[email protected]> wrote in message

Hello Kevin,

Here is some great information in regards to a possible cause for this
issue:

Block Policy Inheritance was checked on the Domain Controllers OU. When
changes to a domain account password are made they are made on a Domain
Controller. Since Password settings must be consistent Domain wide these
settings must be configured at the domain. In order for these domain
settings to be effective they must also be applied to the Domain
controllers. When a Domain password is changed the DC will adhere to the
last applied domain policy and any password settings therein. If Block
Policy is checked on the Domain Controllers OU and No Overide is not set on
the Domain Policy with the desired password settings the DC's will not
receive the password settings from the domain and the desired settings will
not be effective on Domain accounts.

For password settings that are configured in the domain to apply:

1.) Uncheck Block Policy Inheritance and let domain policy apply to domain
controllers
2.) Enable No Overide on the domain Policy so that it will apply to the DC's
even
though Block is checked.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Kevin P. Fleming]

Thanks for the update Kevin. I saw your post at some point and happened to
come across that info while looking for something completely different. I
had no idea it worked that way and I'll bet it is a somewhat common
ocurance.

(Replying to an old thread)

Yes, it must be, it happened to me too This solution (create a new
GPO and enforce it on the DC as well) will work just fine.