Do my account policies really work ?

[Nicolas Heyer]

Hello

We have set the beginning of the year that the users have to change their
password and meet password complexity.

Here are the settings:

Password history : 24 passwords remembered
Minimum password age: 0
Maximum password age: 120
Password must meet complexity is enabled

The option "Password never expires" is NOT set on user objects.

The policy has been limked to the top of the domain.

I have just discovered that one user has never changed its password since
January 4th.... it's a lot more than 120 days... so why ? I asked the user
who stated that the system has never asked for a password change...

How can I check if the policy really works and what could affect that it
doesn't work fine, knowing that the complexity seems to be asked when
changing its password ?

regards
Nicolas

 

[Florian Frommherz [MVP]]

Howdie!

Password history : 24 passwords remembered
Minimum password age: 0

Setting it to 0 is a bad idea since people could change it just 24 times
in a row and then re-enter their previous password.

The policy has been limked to the top of the domain.

How's the linking order? Is the Password Policy the one linked at the
"top" of all policies when you look at the list at the domain level? Or
is at least the one policy that's linked highest when it comes to
Password settings?

cheers,

Florian

 

[Nicolas Heyer]

there are 6 group policies linked to the domain level, the account policy is
set as 5th policy, but the other policies have, I think, nothing to do with
account policy. Should I change the order and set the policy to be enforced ?



Regards
Nicolas

P.S. : yes, I know that 0 is not the best setting for minimum password
age... we will change it, but I also think that a user will probably try 3 or
5 times but almost never 24 times, or he really has nothing else to do at
work... but you're right, it's a lack of security...

Howdie!

Password history : 24 passwords remembered
Minimum password age: 0

Setting it to 0 is a bad idea since people could change it just 24 times
in a row and then re-enter their previous password.

The policy has been limked to the top of the domain.

How's the linking order? Is the Password Policy the one linked at the
"top" of all policies when you look at the list at the domain level? Or
is at least the one policy that's linked highest when it comes to
Password settings?

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html

 

[dw33z1l]

Quoted from
http://technet2.microsoft.com/windo...b53d-41d0-9867-199f6595a01b1033.mspx?mfr=true
"For domain accounts, there can be only one account policy per domain.
The account policy must be defined in the Default Domain Policy or in
a new policy that is linked to the root of the domain and given
precedence over the Default Domain Policy, which is enforced by the
domain controllers that make up the domain. A domain controller always
pulls the account policy from a Group Policy object (GPO)linked to the
domain, which by default is the Default Domain Policy GPO. This
behavior occurs even if there is a different account policy applied to
the organizational unit (OU) that contains the domain controller."

Hope that helps if it wasn't answered already.

-dweez

there are 6 group policies linked to the domain level, the account policy is
set as 5th policy, but the other policies have, I think, nothing to do with
account policy. Should I change the order and set the policy to be enforced ?



Regards
Nicolas

P.S. : yes, I know that 0 is not the best setting for minimum password
age... we will change it, but I also think that a user will probably try 3 or
5 times but almost never 24 times, or he really has nothing else to do at
work... but you're right, it's a lack of security...

Howdie!

Password history : 24 passwords remembered
Minimum password age: 0

Setting it to 0 is a bad idea since people could change it just 24 times
in a row and then re-enter their previous password.

The policy has been limked to the top of the domain.

How's the linking order? Is the Password Policy the one linked at the
"top" of all policies when you look at the list at the domain level? Or
is at least the one policy that's linked highest when it comes to
Password settings?

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html

 

[Florian Frommherz [MVP]]

Nicolas,

there are 6 group policies linked to the domain level, the account policy is
set as 5th policy, but the other policies have, I think, nothing to do with
account policy. Should I change the order and set the policy to be enforced ?

You can check that easily using the GPMC and the settings tab for those
policies. Only one Password Policy is applied - it's the "upper most"
Password Policy the system can find at the domain root. So moving your
Default Domain Policy to the top of the list should do the trick. But
don't enforce it.

If the policy still doesn't apply-- is inheritance blocked at the Domain
Controllers-OU?

cheers,

Florian