Password Policy Reset to the old setting, Why?

[Guest]

Hi all!
We have a W2000-Single Domain with 260 DC and 13000 Users. Curently we have
a Password-Policy (set at Domain Security Policy):

Enforce Password History=1 password remmeberd
Maximum password age=999 days
Minimum password age=0 days
Minimum password length=5 characters
Password must meet complexity requirements=disabled
Store password using reversible encryption for all users in the
domain=disabled

we want to change 2 things as this the customer wishes:

Minimum password length=6 characters
Password must meet complexity requirements=enabled

OK, we do it, and after a random time (about 1 minutes to 10 minutes or more)
the policy is again like the old one.
I see in SecurityEventLog, that system-user reset this to the old policy.
Any idea?
Policy change works well in Test-Enviroment. I can't understand why this in
production enviroment, the 2 domain are comletley same.
Also I've changed about 5 months ago the policy:
Maximum password age
from default 42 days to 999 days, and that was not a problem.
we have disabled Norton, Tivoli, any other things, that could be a problem,
but nothing.
we consult microsoft premium support, they have no idea there.
any help from you?
thanks a lot

 

[Lanwench [MVP - Exchange]]

Hi all!
We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
we have a Password-Policy (set at Domain Security Policy):

I'm not a group policy expert, but I think you want to do this in your
default domain policy, don't you?

Enforce Password History=1 password remmeberd
Maximum password age=999 days
Minimum password age=0 days
Minimum password length=5 characters
Password must meet complexity requirements=disabled
Store password using reversible encryption for all users in the
domain=disabled

we want to change 2 things as this the customer wishes:

Minimum password length=6 characters

I'd do 8.

Password must meet complexity requirements=enabled

That's good.

Also you should force regular password changes - every 90 days at least.

 

[Herb Martin]

"Lanwench [MVP - Exchange]"

I'm not a group policy expert, but I think you want to do this in your
default domain policy, don't you?

Password policies must be at the domain level to function,
but it is not necessary to put it in the "Default" Domain
Policy.

As a genaral rule it is a poor idea to modify the two Default
policies but preferable to create you own.

I'd do 8.

I would do 14 (or more).

I have seen a 14 broken in under 20 seconds.

That's good.

And the 20 seconds was against one with SEMI-complexity,
i.e., UPPER, lower case and numbers.

Also you should force regular password changes - every 90 days at least.

One wonders if it is also in the Default or another policy
linked afterwards, i.e., HIGHER on the original user
infterface from Win2000.

Likely multiple policies at the domain level -- which is
fine -- but the one with the correct setting is not applied
last.

 

[Guest]

Hi Herb Martin!
thx for reply,
we want to find the reason, why the default domain policy reset to old
setting,
I suggest microsoft premium support one week ago, that we could create our
own policy for desired setting and give it a higher priority, so the problem
should solve, but as this a mystery for microsoft, they want to experiment
with our enviroment to find the reason (they call us to collect this log,
that log and so on), but they could'nt find until now the reason for this
mystery. so I think next week they tell us to solve the problem we should
create another policy with.... and sell us this as their own solution.
you are right, the old policy is not better as the one we want, it is poor
as well, but so wishes the customer.

"Lanwench [MVP - Exchange]"

I'm not a group policy expert, but I think you want to do this in your
default domain policy, don't you?

Password policies must be at the domain level to function,
but it is not necessary to put it in the "Default" Domain
Policy.

As a genaral rule it is a poor idea to modify the two Default
policies but preferable to create you own.

I'd do 8.

I would do 14 (or more).

I have seen a 14 broken in under 20 seconds.

That's good.

And the 20 seconds was against one with SEMI-complexity,
i.e., UPPER, lower case and numbers.

Also you should force regular password changes - every 90 days at least.

One wonders if it is also in the Default or another policy
linked afterwards, i.e., HIGHER on the original user
infterface from Win2000.

Likely multiple policies at the domain level -- which is
fine -- but the one with the correct setting is not applied
last.

 

[Glenn L]

Homa,

The password policy settings are stored in gpttmpl.inf file in sysvol under
the policy GUID.
The only thing I can think of is antivirus or backup causing file updates
which FRS treats as last writer wins.
You modify the policy on the PDC (gpttmpl.inf), and as that update is
replicating around, anitvirus or backup on some DC causes an update to the
same file (original content) as it scans it. FRS then pushes this update
around as the authoritative update.

Are you sure you disabled AV and backups in SYSVOL on ALL 260 DCs?


--
Glenn L
CCNA, MCSE 2000/2003 + Security

Hi Herb Martin!
thx for reply,
we want to find the reason, why the default domain policy reset to old
setting,
I suggest microsoft premium support one week ago, that we could create our
own policy for desired setting and give it a higher priority, so the
problem
should solve, but as this a mystery for microsoft, they want to experiment
with our enviroment to find the reason (they call us to collect this log,
that log and so on), but they could'nt find until now the reason for this
mystery. so I think next week they tell us to solve the problem we should
create another policy with.... and sell us this as their own solution.
you are right, the old policy is not better as the one we want, it is poor
as well, but so wishes the customer.

"Lanwench [MVP - Exchange]"
message

Homa wrote:
Hi all!
We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
we have a Password-Policy (set at Domain Security Policy):

I'm not a group policy expert, but I think you want to do this in your
default domain policy, don't you?

Password policies must be at the domain level to function,
but it is not necessary to put it in the "Default" Domain
Policy.

As a genaral rule it is a poor idea to modify the two Default
policies but preferable to create you own.

Enforce Password History=1 password remmeberd
Maximum password age=999 days
Minimum password age=0 days
Minimum password length=5 characters
Password must meet complexity requirements=disabled
Store password using reversible encryption for all users in the
domain=disabled

we want to change 2 things as this the customer wishes:

Minimum password length=6 characters

I'd do 8.

I would do 14 (or more).

I have seen a 14 broken in under 20 seconds.

Password must meet complexity requirements=enabled

That's good.

And the 20 seconds was against one with SEMI-complexity,
i.e., UPPER, lower case and numbers.

Also you should force regular password changes - every 90 days at
least.

OK, we do it, and after a random time (about 1 minutes to 10 minutes
or more) the policy is again like the old one.

One wonders if it is also in the Default or another policy
linked afterwards, i.e., HIGHER on the original user
infterface from Win2000.

I see in SecurityEventLog, that system-user reset this to the old
policy. Any idea?
Policy change works well in Test-Enviroment. I can't understand why
this in production enviroment, the 2 domain are comletley same.
Also I've changed about 5 months ago the policy:
Maximum password age
from default 42 days to 999 days, and that was not a problem.
we have disabled Norton, Tivoli, any other things, that could be a
problem, but nothing.
we consult microsoft premium support, they have no idea there.
any help from you?
thanks a lot

Likely multiple policies at the domain level -- which is
fine -- but the one with the correct setting is not applied
last.

 

[Guest]

Hi Glenn!
thx for reply,
yes, we did disable AV (symantec corp.) and we do not have any
backup-software on our systmes (too expensive for customer)
but the old settinges came again.

Homa,

The password policy settings are stored in gpttmpl.inf file in sysvol under
the policy GUID.
The only thing I can think of is antivirus or backup causing file updates
which FRS treats as last writer wins.
You modify the policy on the PDC (gpttmpl.inf), and as that update is
replicating around, anitvirus or backup on some DC causes an update to the
same file (original content) as it scans it. FRS then pushes this update
around as the authoritative update.

Are you sure you disabled AV and backups in SYSVOL on ALL 260 DCs?


--
Glenn L
CCNA, MCSE 2000/2003 + Security

Hi Herb Martin!
thx for reply,
we want to find the reason, why the default domain policy reset to old
setting,
I suggest microsoft premium support one week ago, that we could create our
own policy for desired setting and give it a higher priority, so the
problem
should solve, but as this a mystery for microsoft, they want to experiment
with our enviroment to find the reason (they call us to collect this log,
that log and so on), but they could'nt find until now the reason for this
mystery. so I think next week they tell us to solve the problem we should
create another policy with.... and sell us this as their own solution.
you are right, the old policy is not better as the one we want, it is poor
as well, but so wishes the customer.

"Lanwench [MVP - Exchange]"
message
Homa wrote:
Hi all!
We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
we have a Password-Policy (set at Domain Security Policy):

I'm not a group policy expert, but I think you want to do this in your
default domain policy, don't you?

Password policies must be at the domain level to function,
but it is not necessary to put it in the "Default" Domain
Policy.

As a genaral rule it is a poor idea to modify the two Default
policies but preferable to create you own.

Enforce Password History=1 password remmeberd
Maximum password age=999 days
Minimum password age=0 days
Minimum password length=5 characters
Password must meet complexity requirements=disabled
Store password using reversible encryption for all users in the
domain=disabled

we want to change 2 things as this the customer wishes:

Minimum password length=6 characters

I'd do 8.

I would do 14 (or more).

I have seen a 14 broken in under 20 seconds.

Password must meet complexity requirements=enabled

That's good.

And the 20 seconds was against one with SEMI-complexity,
i.e., UPPER, lower case and numbers.

Also you should force regular password changes - every 90 days at
least.

OK, we do it, and after a random time (about 1 minutes to 10 minutes
or more) the policy is again like the old one.

One wonders if it is also in the Default or another policy
linked afterwards, i.e., HIGHER on the original user
infterface from Win2000.

I see in SecurityEventLog, that system-user reset this to the old
policy. Any idea?
Policy change works well in Test-Enviroment. I can't understand why
this in production enviroment, the 2 domain are comletley same.
Also I've changed about 5 months ago the policy:
Maximum password age
from default 42 days to 999 days, and that was not a problem.
we have disabled Norton, Tivoli, any other things, that could be a
problem, but nothing.
we consult microsoft premium support, they have no idea there.
any help from you?
thanks a lot

Likely multiple policies at the domain level -- which is
fine -- but the one with the correct setting is not applied
last.

 

[Guest]

Ensure that two Group Policy Settings are not disabled for the Default Domain
Policy and also the Local Policy on each Domain Controller. You can review
and or modify these settings locally by running gpedit.msc from the Run box
on the start Menu.

Computer Configuration\Administrative Templates\Group Policy\Turn Off
Background Refresh of Group Policy - Ensure that this setting is not set to
"Disabled"

Computer Configuration\Administrative Templates\Group Policy\Group Policy
refresh Interval for Domain Controllers - Ensure that this setting is also
not set to "Disabled"

Reboot the Domain Controller or run GPUPDATE/FORCE if you are running
WIndows 2003.

Best regards,

John Powell

 

[Guest]

thx for reply,
No this settings are not configured

 

[Guest]

Try disabling all other GPs at the Domain level and change only the security
policies "Default Domain Policy".

If this is not possible, create an entirely new GP and place it above all GPs
with the desired settings. Enable "No override / Enforce".

Hope this helps.