+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Windows Server 2003 Domain - Password Policy Completely Wrong/Not Working in Technical; Hey guys! Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    Windows Server 2003 Domain - Password Policy Completely Wrong/Not Working

    Hey guys!

    Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm trying to configure a password policy for the school. I use Group Policy Management on my Windows XP here to manage our Domain's policies using the Administration Kit. I'm working with the Default Domain Policy within the root of our Domain. I've set the password policy to:

    Enforce password history: 10
    Max age: 180 days
    Min age: 0 days
    Min Length: 7
    Complex: disabled

    This is all fantastic, but when I go and log in to a teacher account and try to change their password, they get a prompt that says password must be at least 0 days old, cannot repeat any of your previous 0 passwords, and be at least 30 days old. I have NO idea where it's pulling that from. I can't find it anywhere. I double check on our domain controller directly that Domain Security Policy matches, and it does, exact same settings as listed above. But nobody can change their password because of these settings that are apparently coming from somewhere. Any advice would be great! Thanks!!!

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Do you have more than one DC and are they replicating OK? And by running ipconfig /all you can see which DNS server your workstations are talking to first.

    Run gpupdate /force from the Run menu

    Have any local policies been set through gpedit.msc on an XP workstation?

  3. #3

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    If you run gpresult it will tell you which gpo's are being applied - it sounds to me as if you have another policy conflicting with it. Is the teacher account in the user's ou? try putting it in there (where i assume only the default domain policy and maybe a couple of other root domain gpo's will be applied and see if the password policy works there. if it does then you will need to go through all the gpo's that are applied when its in the other ou and check for any conflicting settings

    Toby

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    If you run gpresult it will tell you which gpo's are being applied
    I would agree but this policy can only be set at default domain level in 2003. 2008 Server allows a per OU setting of password policies.

  5. #5
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    I was wondering about the conflicting settings to be honest. I found some other GPO's that for some reason had 2 password policy fields set in them. No idea why, they didn't need to be there, so I pulled them, but they weren't the Default Domain Policy. Nothing else contains any password policies, only the Default Domain Policy now.

    Here's a question though, if Microsoft only allows the Default Domain Policy/Domain Security Policy [which I think are the same thing, the second shows up if you're looking directly on the server in Administration tools] to have the password policy in them in Windows Server 2003, why does Windows Server 2003 allow you to make password policies in more than one GPO if they aren't going to work or apply anyway? Because people who don't know this magic tidbit about Windows Server 2003 only using password policies from the Default Domain Policy now must be pulling their hair out trying to figure out why they don't work.

  6. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    It's a good question actually and I don't know either. Maybe one to ask Microsoft themselves?

  7. #7
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    I tried calling Microsoft to help me with this issue, but they were about to charge me $300. No thanks.

    ::EDIT::

    Gahhhh, even more annoying, I just ran Group Policy Results on the test staff machine with a test staff user, and the correct password policy is apparently being applied no problem.

    ::EDIT::

    New development, looks like the Default Domain Policy is only effecting local accounts, which there are none. I just created a new local account to test on the same staff test machine, and tried to change the password. It told me my password must be at least 7 characters, and cannot repeat any of the last 10 passwords. Correct! Now how do I make that apply to a DOMAIN user?!
    Last edited by link470; 28th April 2010 at 09:18 PM.

  8. #8
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Errr...so uh...came in this morning, and a student came up to me saying "I tried repeatedly logging into my account...but it says now that my account is locked out" and I thought "nah it can't say that, I don't have that policy working". I checked his account in Active Directory, low and behold, his account was locked out. I tried logging into a test account and changing the password...policies are working! Why it took that long? I have no idea! But it's working!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 19th March 2012, 08:58 AM
  2. Windows 7 clients on Server 2003 domain
    By Earthling in forum Windows 7
    Replies: 3
    Last Post: 9th September 2010, 01:00 AM
  3. Promoting Windows Server 2008 R2 as DC + DNS in 2003 AD Domain
    By albertwt in forum Windows Server 2008 R2
    Replies: 8
    Last Post: 4th November 2009, 08:27 AM
  4. Password Policy - 2003
    By timbo343 in forum Windows
    Replies: 10
    Last Post: 15th October 2008, 08:51 AM
  5. Setting up the Password Policy on domain.
    By tosca925 in forum Windows
    Replies: 5
    Last Post: 13th June 2007, 08:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •