link470 Posted April 23, 2010 Posted April 23, 2010 Hey guys! Here's a fun one, another password policy issue. I've got a Windows Server 2003 domain here, and I'm trying to configure a password policy for the school. I use Group Policy Management on my Windows XP here to manage our Domain's policies using the Administration Kit. I'm working with the Default Domain Policy within the root of our Domain. I've set the password policy to: Enforce password history: 10 Max age: 180 days Min age: 0 days Min Length: 7 Complex: disabled This is all fantastic, but when I go and log in to a teacher account and try to change their password, they get a prompt that says password must be at least 0 days old, cannot repeat any of your previous 0 passwords, and be at least 30 days old. I have NO idea where it's pulling that from. I can't find it anywhere. I double check on our domain controller directly that Domain Security Policy matches, and it does, exact same settings as listed above. But nobody can change their password because of these settings that are apparently coming from somewhere. Any advice would be great! Thanks!!!
Michael Posted April 24, 2010 Posted April 24, 2010 Do you have more than one DC and are they replicating OK? And by running ipconfig /all you can see which DNS server your workstations are talking to first. Run gpupdate /force from the Run menu Have any local policies been set through gpedit.msc on an XP workstation?
glennda Posted April 24, 2010 Posted April 24, 2010 If you run gpresult it will tell you which gpo's are being applied - it sounds to me as if you have another policy conflicting with it. Is the teacher account in the user's ou? try putting it in there (where i assume only the default domain policy and maybe a couple of other root domain gpo's will be applied and see if the password policy works there. if it does then you will need to go through all the gpo's that are applied when its in the other ou and check for any conflicting settings Toby
Michael Posted April 24, 2010 Posted April 24, 2010 If you run gpresult it will tell you which gpo's are being applied I would agree but this policy can only be set at default domain level in 2003. 2008 Server allows a per OU setting of password policies.
link470 Posted April 24, 2010 Author Posted April 24, 2010 I was wondering about the conflicting settings to be honest. I found some other GPO's that for some reason had 2 password policy fields set in them. No idea why, they didn't need to be there, so I pulled them, but they weren't the Default Domain Policy. Nothing else contains any password policies, only the Default Domain Policy now. Here's a question though, if Microsoft only allows the Default Domain Policy/Domain Security Policy [which I think are the same thing, the second shows up if you're looking directly on the server in Administration tools] to have the password policy in them in Windows Server 2003, why does Windows Server 2003 allow you to make password policies in more than one GPO if they aren't going to work or apply anyway? Because people who don't know this magic tidbit about Windows Server 2003 only using password policies from the Default Domain Policy now must be pulling their hair out trying to figure out why they don't work.
Michael Posted April 25, 2010 Posted April 25, 2010 It's a good question actually and I don't know either. Maybe one to ask Microsoft themselves?
link470 Posted April 27, 2010 Author Posted April 27, 2010 (edited) I tried calling Microsoft to help me with this issue, but they were about to charge me $300. No thanks. ::EDIT:: Gahhhh, even more annoying, I just ran Group Policy Results on the test staff machine with a test staff user, and the correct password policy is apparently being applied no problem. ::EDIT:: New development, looks like the Default Domain Policy is only effecting local accounts, which there are none. I just created a new local account to test on the same staff test machine, and tried to change the password. It told me my password must be at least 7 characters, and cannot repeat any of the last 10 passwords. Correct! Now how do I make that apply to a DOMAIN user?! Edited April 28, 2010 by link470
link470 Posted April 30, 2010 Author Posted April 30, 2010 Errr...so uh...came in this morning, and a student came up to me saying "I tried repeatedly logging into my account...but it says now that my account is locked out" and I thought "nah it can't say that, I don't have that policy working". I checked his account in Active Directory, low and behold, his account was locked out. I tried logging into a test account and changing the password...policies are working! Why it took that long? I have no idea! But it's working!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now