cannot change local security policy

  • Thread starter Thread starter Steve Richter
  • Start date Start date
S

Steve Richter

I want to change the "password must meet complexity requirements" of
my PC to "disabled". But the pushbutton is greyed. Why is it doing
that??

My Vista PC is in the active directory domain of my 2nd PC, running
windows server 2003. ( which I configured today. note to MSFT:
configing your systems is very difficult and confusing!! )

on the Server PC I was able to change the password policy and disable
complex names.

thanks,

-Steve
 
Are you in the Local Security Policy editor (in Administrative tools) on the
Vista computer trying to change this? How did you configure the policy on the
server?
 
Are you in the Local Security Policy editor (in Administrative tools) on the
Vista computer trying to change this? How did you configure the policy on the
server?
Click to expand...

On the server I had the "password must meet complexity or whatever"
disabled on either the "default domain security policy" or the
"default domain controller security policy" . Now I have changed to
"disabled" in both and I can now set to a simple password on the
client.

what kind of madmen designed this?? what is the difference between
"default domain" and "default domain controller"???

-Steve
 
With all due respect, you need this:
http://www.amazon.com/gp/product/0470106425?ie=UTF8&tag=protectyourwi-20

The Default Domain Policy is linked to the domain itself. Password policy
settings you make in there apply to all computers in the domain, except for
domain controllers (if the same settings are made in the Default Domain
Controllers Policy). Since you were managing the password policy using the
Default Domain Policy your password settings in Local Security Policy were
greyed out. You told the computer that you want the domain settings to rule.


The Default Domain Controllers Policy is linked to the Domain Controllers
OU. Since policy is processed in the LSDOU (Local, Site, Domain, OU) order,
that policy will override settings made in the Default Domain Policy for the
DCs.

Really, you need to read Jeremy's book if you are going to be playing with
Group Policy. You may want to read one of mine too to understand the security
settings.
 
Because the Vista machine is doinam joined, then the Default Domain
Policy overrides the Local policy. Create a new OU and move the
computer account for you workstation to that new OU. Then you'll want
to create a new group policy object on that OU so that it applies to
that workstation. Modify the GPO to change the settings you wish.

You should never make changes to the Default Domain or Default Domain
Controller policies, but rather create new ones.

Also, why would you want to disable the password complexity
requirements? You are opening yourself up to allowing somebody to
bruce force attack the accounts by using simple passwords. Much easier
to determine the passwords if they are not complex.

Just a though.

Steve Antonio, CISSP

This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
With all due respect Steve, the built-in password complexity filter is so
weak it certainly does not rule out guessing passwords. "Seattle1" would
qualify as a "strong" password under the built-in filter, as do a myriad of
other weak ones. If you really want to improve password strength, you need to
go for length.
 
True Jesper...good point.

Here are some links I have kept handy that talk about strong
passwords.

What you should know about strong passwords:

http://www.microsoft.com/technet/se...ocuments/password_tips_for_administrators.doc

http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch00.mspx

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx

http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

http://www.microsoft.com/resources/...rise/proddocs/en-us/windows_password_tips.asp


Password Best Practices:

http://www.microsoft.com/resources/...e/proddocs/en-us/windows_password_protect.asp


Accounts Passwords and Lockout Policies:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx


Account Lockout and Management Tools:

http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&displaylang=en

Hope this helps.
 
With all due respect, you need this:http://www.amazon.com/gp/product/0470106425?ie=UTF8&tag=protectyourwi-20

The Default Domain Policy is linked to the domain itself. Password policy
settings you make in there apply to all computers in the domain, except for
domain controllers (if the same settings are made in the Default Domain
Controllers Policy). Since you were managing the password policy using the
Default Domain Policy your password settings in Local Security Policy were
greyed out. You told the computer that you want the domain settings to rule.

The Default Domain Controllers Policy is linked to the Domain Controllers
OU. Since policy is processed in the LSDOU (Local, Site, Domain, OU) order,
that policy will override settings made in the Default Domain Policy for the
DCs.

Really, you need to read Jeremy's book if you are going to be playing with
Group Policy. You may want to read one of mine too to understand the security
settings.
Click to expand...

will do. thanks for the help. I understand it better now.

-Steve
 
Back
Top