Windows Thread, Windows Server 2003 Domain - Password Policy Completely Wrong/Not Working in Technical; Hey guys!
Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm ...
23rd April 2010, 11:26 PM #1
Windows Server 2003 Domain - Password Policy Completely Wrong/Not Working
Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm trying to configure a password policy for the school. I use Group Policy Management on my Windows XP here to manage our Domain's policies using the Administration Kit. I'm working with the Default Domain Policy within the root of our Domain. I've set the password policy to:
Enforce password history: 10
Max age: 180 days
Min age: 0 days
Min Length: 7
This is all fantastic, but when I go and log in to a teacher account and try to change their password, they get a prompt that says password must be at least 0 days old, cannot repeat any of your previous 0 passwords, and be at least 30 days old. I have NO idea where it's pulling that from. I can't find it anywhere. I double check on our domain controller directly that Domain Security Policy matches, and it does, exact same settings as listed above. But nobody can change their password because of these settings that are apparently coming from somewhere. Any advice would be great! Thanks!!!
IDG Tech News
24th April 2010, 11:22 AM #2
Do you have more than one DC and are they replicating OK? And by running ipconfig /all you can see which DNS server your workstations are talking to first.
Run gpupdate /force from the Run menu
Have any local policies been set through gpedit.msc on an XP workstation?
24th April 2010, 12:10 PM #3
If you run gpresult it will tell you which gpo's are being applied - it sounds to me as if you have another policy conflicting with it. Is the teacher account in the user's ou? try putting it in there (where i assume only the default domain policy and maybe a couple of other root domain gpo's will be applied and see if the password policy works there. if it does then you will need to go through all the gpo's that are applied when its in the other ou and check for any conflicting settings
25th April 2010, 12:30 AM #4
I would agree but this policy can only be set at default domain level in 2003. 2008 Server allows a per OU setting of password policies.
If you run gpresult it will tell you which gpo's are being applied
25th April 2010, 12:54 AM #5
I was wondering about the conflicting settings to be honest. I found some other GPO's that for some reason had 2 password policy fields set in them. No idea why, they didn't need to be there, so I pulled them, but they weren't the Default Domain Policy. Nothing else contains any password policies, only the Default Domain Policy now.
Here's a question though, if Microsoft only allows the Default Domain Policy/Domain Security Policy [which I think are the same thing, the second shows up if you're looking directly on the server in Administration tools] to have the password policy in them in Windows Server 2003, why does Windows Server 2003 allow you to make password policies in more than one GPO if they aren't going to work or apply anyway? Because people who don't know this magic tidbit about Windows Server 2003 only using password policies from the Default Domain Policy now must be pulling their hair out trying to figure out why they don't work.
25th April 2010, 08:17 PM #6
It's a good question actually and I don't know either. Maybe one to ask Microsoft themselves?
27th April 2010, 09:14 PM #7
I tried calling Microsoft to help me with this issue, but they were about to charge me $300. No thanks.
Gahhhh, even more annoying, I just ran Group Policy Results on the test staff machine with a test staff user, and the correct password policy is apparently being applied no problem.
New development, looks like the Default Domain Policy is only effecting local accounts, which there are none. I just created a new local account to test on the same staff test machine, and tried to change the password. It told me my password must be at least 7 characters, and cannot repeat any of the last 10 passwords. Correct! Now how do I make that apply to a DOMAIN user?!
Last edited by link470; 28th April 2010 at 10:18 PM.
30th April 2010, 05:35 PM #8
Errr...so uh...came in this morning, and a student came up to me saying "I tried repeatedly logging into my account...but it says now that my account is locked out" and I thought "nah it can't say that, I don't have that policy working". I checked his account in Active Directory, low and behold, his account was locked out. I tried logging into a test account and changing the password...policies are working! Why it took that long? I have no idea! But it's working!
By bio in forum Windows Server 2008 R2
Last Post: 19th March 2012, 09:58 AM
By Earthling in forum Windows 7
Last Post: 9th September 2010, 02:00 AM
By albertwt in forum Windows Server 2008 R2
Last Post: 4th November 2009, 09:27 AM
By timbo343 in forum Windows
Last Post: 15th October 2008, 09:51 AM
By tosca925 in forum Windows
Last Post: 13th June 2007, 09:28 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)