AD Replication problems

[Mitchell Ginsberg]

I am a network admin for a medium sized Active Directory
environment with approximately 70 DCs. Active Directory
is running in mixed mode supporting 12 NT servers acting
as BDCs. I connect to the server with the PDC emulator
role and enable a group policy for passwords as follows:
Password History - Remember 8 passwords
Password Length - 5 Characters
Minimum Password Age - 1 Day
Maximum Password Age - 90 days

Using GPResult and ADUC, I am able to verify these policy
settings are in place for 15 minutes. However, as soon as
AD replication takes place, the settings revert back to a
previous password policy setting of:
Password History - Remember 0 passwords
Password Length - 5 Characters
Minimum Password Age - 0 Day
Maximum Password Age - 0 days

Interestingly, it appears that when I set the policy to
all items not defined, AD replication will no over write
the policy.

Any suggestions or ideas on how to solve this problem will
be greatly appreciated.

Mitchell Ginsberg

 

[Cary Shultz [A.D. MVP]]

Mitchell,

Where are you setting this policy? It is great that you are doing it on the
DC that holds the role of PDC Emulator, but that should not necessarily
matter too much.

Typically, you would use the Domain Security Policy ( Start | Programs |
Administrative Tools ) or the Default Domain Policy. What happens if you
enter net accounts on that specific DC? On other DCs? on client computers?

Also, I might suggest that you change the Minimum Password Age to seven
days. As I am sure that you know, this simply prevents users from changing
the password the first seven days. This will typically prevent all but the
most ambitious users from changing their password in 'rapid'
succession......

HTH,

Cary