Windows Thread, Windows Server 2003 Domain - Password Policy Completely Wrong/Not Working in Technical; Hey guys!
Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm ...
Windows Server 2003 Domain - Password Policy Completely Wrong/Not Working
Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm trying to configure a password policy for the school. I use Group Policy Management on my Windows XP here to manage our Domain's policies using the Administration Kit. I'm working with the Default Domain Policy within the root of our Domain. I've set the password policy to:
Enforce password history: 10
Max age: 180 days
Min age: 0 days
Min Length: 7
This is all fantastic, but when I go and log in to a teacher account and try to change their password, they get a prompt that says password must be at least 0 days old, cannot repeat any of your previous 0 passwords, and be at least 30 days old. I have NO idea where it's pulling that from. I can't find it anywhere. I double check on our domain controller directly that Domain Security Policy matches, and it does, exact same settings as listed above. But nobody can change their password because of these settings that are apparently coming from somewhere. Any advice would be great! Thanks!!!
If you run gpresult it will tell you which gpo's are being applied - it sounds to me as if you have another policy conflicting with it. Is the teacher account in the user's ou? try putting it in there (where i assume only the default domain policy and maybe a couple of other root domain gpo's will be applied and see if the password policy works there. if it does then you will need to go through all the gpo's that are applied when its in the other ou and check for any conflicting settings
I was wondering about the conflicting settings to be honest. I found some other GPO's that for some reason had 2 password policy fields set in them. No idea why, they didn't need to be there, so I pulled them, but they weren't the Default Domain Policy. Nothing else contains any password policies, only the Default Domain Policy now.
Here's a question though, if Microsoft only allows the Default Domain Policy/Domain Security Policy [which I think are the same thing, the second shows up if you're looking directly on the server in Administration tools] to have the password policy in them in Windows Server 2003, why does Windows Server 2003 allow you to make password policies in more than one GPO if they aren't going to work or apply anyway? Because people who don't know this magic tidbit about Windows Server 2003 only using password policies from the Default Domain Policy now must be pulling their hair out trying to figure out why they don't work.
I tried calling Microsoft to help me with this issue, but they were about to charge me $300. No thanks.
Gahhhh, even more annoying, I just ran Group Policy Results on the test staff machine with a test staff user, and the correct password policy is apparently being applied no problem.
New development, looks like the Default Domain Policy is only effecting local accounts, which there are none. I just created a new local account to test on the same staff test machine, and tried to change the password. It told me my password must be at least 7 characters, and cannot repeat any of the last 10 passwords. Correct! Now how do I make that apply to a DOMAIN user?!
Last edited by link470; 28th April 2010 at 09:18 PM.
Errr...so uh...came in this morning, and a student came up to me saying "I tried repeatedly logging into my account...but it says now that my account is locked out" and I thought "nah it can't say that, I don't have that policy working". I checked his account in Active Directory, low and behold, his account was locked out. I tried logging into a test account and changing the password...policies are working! Why it took that long? I have no idea! But it's working!