Can't disable password policy on DC

[Robert Gowdy]

Using the Default Domain Policy GPO at the domain level, I
set a password policy. The password policy worked fine.
I've since disabled the password policy changing
everything back to default yet even when creating a new
user on the DC it complains that the password I choose
doesn't meet the password complexity setting when there
are supposedly none in place.

I've done a manual refresh of policies using secedit for
users and machines.

Using secpol.msc I see the default password policy
settings (i.e. maximum password age 42 days, effective
setting not defined for all variables).

The problem also still exists on the client side of the
machine where the password policy is still being enforced
even though it's set to default on the DC. The local sec
policies for the client are default as well. (I am
logging into the client using a domain user that exists on
the DC.

Thanks in advance for your time and consideration.

 

[Keith Jakobs, MCP]

Hi Robert,

Password and Account Lockout Policies for a domain can only be specified at
the Default Domain level. Domain Controllers only receive these settings
from the Default Domain Policy, regardless of what settings you have applied
at the Default Domain Controller policy. For more information, you may want
to refer to MS Knowledge Base article 259576:

http://support.microsoft.com/default.aspx?scid=kb;en-us;259576&Product=win2000

Hope that helps.

Keith C. Jakobs, MCP

 

[Robert Gowdey]

As I stated. I applied the GPO at the DOMAIN LEVEL.

 

[Robert Gowdey]

I applied the GPO to the domain level. I then removed it from the domain
level. It is still taking affect. I refreshed policies for users and
machines manually using secedit. The policy for password complexity is
disabled, yet still complains that the password isn't complex enough when
creating a new user on the DC. I apologize for typing DOMAIN LEVEL in all
caps but you have to understand. It's not that I don't appreciate your help
even though clearly you didn't read what I had typed and if you add to the
thread without really reading what I typed you're going to just add
confusion to the next person that may try to help.

 

[Keith Jakobs, MCP]

Actually Robert, I did read your post....


Which indicated to me that you were confirming setting at the Default Domain
Controller policy and not the Default Domain policy.

The text of your message suggested you were not aware of the limitations of
the Password and Account Lockout policies, and I hoped the MS article I
posted would provide you with some additional information. As I said in my
reply, I hope it helps, but did not say that WAS your issue.

Good Luck

Keith C. Jakobs, MCP

 

[Robert Gowdey]

I fixed the issue. Basically GPO's I figured have GUID's. I renamed the
Default Domain Policy on accident and then named it back. For some reason
after renaming it to say "testtest" and then back to it's original name.
Any setting that the GPO had when named "testtest" remained even though I
renamed it back to it's original name. Under the actual policies under
SYSVOL. There were only two GPO's (default and default controller). I
manually deleted the GPO entirely, rebooted, went back to SYSVOL where only
one GPO (default controller) remained. Added a NEW GPO and called it
Default Domain Policy and now new password policy settings take effect.

I think it would be good advice for anyone who has to implement a GPO at the
domain level to create a new GPO and to never alter the default domain
policy just leave it in place unaltered.