Password complexity rules not being applied

[Hank Arnold]

I've updated my password config in the default GPO. It has the policies
enabled for complex passwords as well as the number of logon tries before
disabling the account. Neither is being enforced.

1) Any suggestions as to where to look?

2) Is there a command line way to set the policy? I was ale to use a command
line to set the rest of the policies, but this one wasn't in the list.

 

[ptwilliams]

How long have you waited. You more than likely made the change to the GPO
on the PDCe. This change needs to replicate and be applied to the DC that
you are authenticating against (well, apply GPO from anyway ;-)

Intrasite: 5 mins for replication (15 if you've a large mesh) and another 5
mins for policy application. Then logon and see if it's enforced...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Tomasz Onyszko [MVP]]

I've updated my password config in the default GPO. It has the policies
enabled for complex passwords as well as the number of logon tries before

What do You mean by "default GPO"? You should modify password polic in
Default domain policy

 

[mark]

Too elaborate on Tomasz's comment:

While the settings for password complexity are in the GPO template and
can be set at any OU level, they only take effect if set at the domain
level. You should set the password complexity level in the default
domain policy. Unfortunately you can only have one password complexity
setting per domain.

/mark

 

[Hank Arnold]

It's going on months....

 

[Hank Arnold]

I'm getting to the settings the following way:

- Log onto the DC as Administrator
- Open Active Directory Users & Computers
- Right click on "Hospice.Local" domain name
- Select Properties
- Select Group Policy tab
- Edit "Default Domain Policy" (currently the only one)
- Select Computer Configuration
Windows settings
Security Settings
Account Policies
Password Policy

This is where the complexity rule is "enabled". Is this the correct place to
do it?

I should also mention that the "Account Lockout Policy" is set for a
threshold of 5 attempts. Currently the system is ignoring that setting,
also.....

 

[ptwilliams]

That's the correct place providing there isn't another GPO linked to the
domain above it in the listed order.

Are you getting any warnings/ errors in the logs (of the DCs).

You can enable userenv logging to get a complete log of what's going on...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Hank Arnold]

Thanks for the input.

I'll take a look Monday AM when I get to work. There are no other GPOs
listed other than the Default one. What kind of events should I be looking
for? Where should I turn on the userenv logging?

 

[ptwilliams]

Hi Hank,

You're looking for warnings and/ or errors by usrenv and scecli.

You enable usrenv logging through the registry changes detailed in this
article:
-- http://support.microsoft.com/?id=221833


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Hank Arnold]

Thanks again for your inputs.

I was able to RDP in and check it out. There are no errors or warnings for
userenv and only Event 1704 (GPO applied successfully) in the Application
log for SceCli.

I checked the registry and found that the setting is for both VERBOSE and
LOGFILE. I do have the files Userenv.log and Userenv.bak. Is there anything
in there that could give a clue?