Cant disable password complexity

[Guest]

I have a slightly quirky problem. I have a pure Windows 2000 Domain with 2
domain controllers running Active Directory. Neither of the servers show any
problems with AD replication, Group policy replication, Browser, DNS,
Netlogon, Sysvol etc etc…. Nothing in any of the event logs apart from the
standard "Ignore this issue its not a problem" type errors e.g event 10006
DCOM got error "Class not registered " from the computer XXXX when attempting
to activate the server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event 36871
A fatal error occurred while creating an SSL server credential.

DNS is happy; NTFRS is happy etc etc.... Basically no problems show up.

The problem I have occurring is that all of a sudden the servers are
requiring complex passwords e.g. if you change a password or create a new
user account etc.

I have used GPOTOOL to check that group policy replication is happy, which
it is. I have looked at the default domain policy as well as the default
domain controller policy and re-tried enabling and disabling all bits of the
Password Policy section, in all variations (plus used secedit to apply the
settings). The Domain policy is blocked from inheriting the default domain
policy as it should be.

However, if you look at the local security policy > password policy on
either domain controller, it is always listed as NOT DEFINED.

I have also attempted setting the local security policy, and that still has
no effect.

Basically, all sections of the group policy will make a change to the local
security policy, BUT, it is not possible to set any of the settings in the
Password Policy section. This applies to any changes you make in the Group
Policy(s) at any level and also to the local security policy. FYI... there
are only the 2 policies on the server! If you change any other section of a
policy (domain, local, domain cont), it will replicate between the servers
and it will apply that section of the policy to any area except the Password
Policy, which wont change!

I have re-applied the service pack, as a safety measure and this is on a
live domain that has been working fine for 2 years now.... so how the change
has come about, I am uncertain!

This problem has only come to light as I had to create a new user, which I
couldn’t do without a complex password being set. However as I cannot find
out what is really going on with the password policy, I cant tell how long it
will now be before 300+ users are going to be asked to change their password,
and you can imagine the chaos that will happen :-(

As I have now spent 15 hours trying to resolve this, with all possible
scenarios of applying a password policy (either disabling, enabling, not
defining...Domain policy, Domain Controller policy, Local Security policy
etc.etc..) has anyone any thoughts on this as I am completely baffled as to
where to look next and unfortunately, my customer isn’t going to accept that
"I thought their network needed its security beefing up, so I turned on
password complexity (sadly, as that would be a great easy option).

Another possibility would be if anyone knows exactly where to flick the
switch to disable this... Is it in that DLL file in system 32 that controls
password complexity.... or an encrypted registry key...or as unlikely as it
may be, Active directory through ADSI edit???

Any thoughts and suggestions would be more than welcome on this one!!

Thanks

Will Smith

 

[Miha Pihler]

Hi,

Personally I would rather take some time and explain users how to use
complex passwords -- it is not all that hard.

*************

The only place in domain where password policy can be defined (to have any
affect) is in Default Domain Policy or policy that replaces Default Domain
Policy.

To change your settings, open Active Directory Users and Computers MMC.
Right click on domain name and select properties. Click on Group Policy tab
and click on Default Domain Policy to select it and click on Edit button.
Once the policy editor is started, drill down under Computer
Configuration -> Windows Settings -> Security Settings -> Account
Policies -> Password Policy. Here look for Password must meet complexity
requirements and double click on this policy. Make sure that there is check
mark next to Define this policy setting and that policy is set to Disabled.
Close all windows and Policy Editor.

From command line on your DC run

gpupdate /force

Then run this same command on your client. Try to change the password and
use password that is not complex.

I hope this helps,

Mike

 

[Rashmi.K.Y [MSFT]]

Hello Will,

Thank you for posting.

I found various resolutions to the similar issue. Please find the solutions
that resolved the issue. Check if any of these applies to your scenario.

Solution 1:
Please check if the 'apply Group Policy' setting is denied either for
'Domain controllers' either in Default Domain policy or Default Domain
controllers policy.

Solution 2:
Check if there is any third party password filter tool is applied.

Solution 3:
Make sure that the block policy inheritance is not enabled on Domain
controllers OU.

Solution 4:
Open the Default Domain Policy, and modify the Password Policy as follows:
Enforce Password History: 0
Maximum Password Age: 0
Minimum password Age: 0
Minimum Password Length: 0
Password must meet complexity requirements: Defined/Disabled
Store Passwords using reversible Encryption: Defined/Disabled

Once the policy is set as above, refresh policy and restart domain
controllers.

Hope the issue is resolved by any of the methods above.

Thank you,

Rashmi

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Cant disable password complexity
| thread-index: AcTS7N65aWA4MwCsRmWiCPS1eUQblA==
| X-WBNR-Posting-Host: 81.77.171.119
| From: "=?Utf-8?B?V2lsbCBTbWl0aA==?=" <Will
(e-mail address removed)>
| Subject: Cant disable password complexity
| Date: Thu, 25 Nov 2004 04:47:06 -0800
| Lines: 66
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.security:34170
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I have a slightly quirky problem. I have a pure Windows 2000 Domain with
2
| domain controllers running Active Directory. Neither of the servers show
any
| problems with AD replication, Group policy replication, Browser, DNS,
| Netlogon, Sysvol etc etc…. Nothing in any of the event logs apart from
the
| standard "Ignore this issue its not a problem" type errors e.g event
10006
| DCOM got error "Class not registered " from the computer XXXX when
attempting
| to activate the server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event
36871
| A fatal error occurred while creating an SSL server credential.
|
| DNS is happy; NTFRS is happy etc etc.... Basically no problems show up.
|
| The problem I have occurring is that all of a sudden the servers are
| requiring complex passwords e.g. if you change a password or create a new
| user account etc.
|
| I have used GPOTOOL to check that group policy replication is happy,
which
| it is. I have looked at the default domain policy as well as the default
| domain controller policy and re-tried enabling and disabling all bits of
the
| Password Policy section, in all variations (plus used secedit to apply
the
| settings). The Domain policy is blocked from inheriting the default
domain
| policy as it should be.
|
| However, if you look at the local security policy > password policy on
| either domain controller, it is always listed as NOT DEFINED.
|
| I have also attempted setting the local security policy, and that still
has
| no effect.
|
| Basically, all sections of the group policy will make a change to the
local
| security policy, BUT, it is not possible to set any of the settings in
the
| Password Policy section. This applies to any changes you make in the
Group
| Policy(s) at any level and also to the local security policy. FYI...
there
| are only the 2 policies on the server! If you change any other section of
a
| policy (domain, local, domain cont), it will replicate between the
servers
| and it will apply that section of the policy to any area except the
Password
| Policy, which wont change!
|
| I have re-applied the service pack, as a safety measure and this is on a
| live domain that has been working fine for 2 years now.... so how the
change
| has come about, I am uncertain!
|
| This problem has only come to light as I had to create a new user, which
I
| couldn’t do without a complex password being set. However as I cannot
find
| out what is really going on with the password policy, I cant tell how
long it
| will now be before 300+ users are going to be asked to change their
password,
| and you can imagine the chaos that will happen :-(
|
| As I have now spent 15 hours trying to resolve this, with all possible
| scenarios of applying a password policy (either disabling, enabling, not
| defining...Domain policy, Domain Controller policy, Local Security policy
| etc.etc..) has anyone any thoughts on this as I am completely baffled as
to
| where to look next and unfortunately, my customer isn’t going to accept
that
| "I thought their network needed its security beefing up, so I turned on
| password complexity (sadly, as that would be a great easy option).
|
| Another possibility would be if anyone knows exactly where to flick the
| switch to disable this... Is it in that DLL file in system 32 that
controls
| password complexity.... or an encrypted registry key...or as unlikely as
it
| may be, Active directory through ADSI edit???
|
| Any thoughts and suggestions would be more than welcome on this one!!
|
| Thanks
|
| Will Smith
|
|

 

[Lanwench [MVP - Exchange]]

I have a slightly quirky problem. I have a pure Windows 2000 Domain
with 2 domain controllers running Active Directory. Neither of the
servers show any problems with AD replication, Group policy
replication, Browser, DNS, Netlogon, Sysvol etc etc.. Nothing in any
of the event logs apart from the standard "Ignore this issue its not
a problem" type errors e.g event 10006 DCOM got error "Class not
registered " from the computer XXXX when attempting to activate the
server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event 36871 A fatal
error occurred while creating an SSL server credential.

DNS is happy; NTFRS is happy etc etc.... Basically no problems show
up.

The problem I have occurring is that all of a sudden the servers are
requiring complex passwords e.g. if you change a password or create a
new user account etc.

I have used GPOTOOL to check that group policy replication is happy,
which it is. I have looked at the default domain policy as well as
the default domain controller policy and re-tried enabling and
disabling all bits of the Password Policy section, in all variations
(plus used secedit to apply the settings). The Domain policy is
blocked from inheriting the default domain policy as it should be.

However, if you look at the local security policy > password policy on
either domain controller, it is always listed as NOT DEFINED.

I have also attempted setting the local security policy, and that
still has no effect.

Basically, all sections of the group policy will make a change to the
local security policy, BUT, it is not possible to set any of the
settings in the Password Policy section. This applies to any changes
you make in the Group Policy(s) at any level and also to the local
security policy. FYI... there are only the 2 policies on the server!
If you change any other section of a policy (domain, local, domain
cont), it will replicate between the servers and it will apply that
section of the policy to any area except the Password Policy, which
wont change!

I have re-applied the service pack, as a safety measure and this is
on a live domain that has been working fine for 2 years now.... so
how the change has come about, I am uncertain!

This problem has only come to light as I had to create a new user,
which I couldn't do without a complex password being set. However as
I cannot find out what is really going on with the password policy, I
cant tell how long it will now be before 300+ users are going to be
asked to change their password, and you can imagine the chaos that
will happen :-(

As I have now spent 15 hours trying to resolve this, with all possible
scenarios of applying a password policy (either disabling, enabling,
not defining...Domain policy, Domain Controller policy, Local
Security policy etc.etc..) has anyone any thoughts on this as I am
completely baffled as to where to look next and unfortunately, my
customer isn't going to accept that "I thought their network needed
its security beefing up, so I turned on password complexity (sadly,
as that would be a great easy option).

Another possibility would be if anyone knows exactly where to flick
the switch to disable this... Is it in that DLL file in system 32
that controls password complexity.... or an encrypted registry
key...or as unlikely as it may be, Active directory through ADSI
edit???

Any thoughts and suggestions would be more than welcome on this one!!

Thanks

Will Smith

Hi - I see you have replies, and a resolution, in another group. In the
future, please don't multipost - if you need to post to multiple groups,
it's best to crosspost instead, by posting a single message to a handful of
relevant groups (separate the NG names with commas) so that everyone can
follow the thread. This makes it easier for everyone, including you.