Domain Policy?

[Al]

I tried to apply password policies to my domain on
Friday. I edited the Default Domain Policy to the give
the following requirements:
Enforce Password History - 3
Maximum Password Age - 120
Minimum Password Age - 30
Minimum Password Length - 8
Passwords must meet complexity requirements - Enabled
Store passwords using reversible encryption - Disabled

Then closed out and applied Group Policy.

On Monday morning several users were having problems
logging on. System message stated that their password had
expired and required them to enter a new one. However,
neither password length nor complexity requirements were
not being enforced.

When I went back to verify the Default Domain Policy it
did not reflect the changes made on Friday. All settings
were back to default values.

What gives? Any ideas would be appreciated. I tested this
several times in my network sandbox and it worked fine.

 

[Steven L Umbach]

If you have more than one domain controller verify that your replication is working
correctly. Usually errors will appear in Event Viewer and you can use gpotool and
replmon form the support tools to verify proper replication. Replication problems are
often related to improper dns configuration. Also do not have block inheritance
enabled on the domain controller container when you are going to make a change to
account policy. Net accounts on a domain controller can give you a quick idea of what
that domain controller has as account policy other than password complexity. If you
have more than one GPO for the domain, try making your changes in the GPO at top of
the list for Group Policy since that GPO has the highest priority. --- Steve

 

[markwell99]

I've gotten messages from a number of sites, some called
www.messagestop.net....and many others..
They open up Messager dialog boxes and try to sell software to stop popups..
I call it extortion..
But I found a fairly easy way to stop this....Look at windows site..
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
For a detailed explanation on disabling the messanger service that the
ruthless people are
explioting... Ha ha....the messges don't come through any more......

 

[Dave]

you should know though that disabling the messenger service only hides the
true problem.. you have a system that is exposed to the internet without
protection. the better fix is to get a firewall, even one of the free ones
like zonealarm and block all that stuff from getting to the operating sytem.

 

[Robert Moir]

I've gotten messages from a number of sites, some called
www.messagestop.net....and many others..
They open up Messager dialog boxes and try to sell software to stop
popups.. I call it extortion..
But I found a fairly easy way to stop this....Look at windows site..
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
For a detailed explanation on disabling the messanger service that the
ruthless people are
explioting... Ha ha....the messges don't come through any more......

I hope you also paid attention to the comments on that page about using an
Internet firewall of some kind.

The messenger service alerts are annoying but actually useful; they tell you
that your computer is set up to expose networking services to the Internet
which should never be exposed in that way. Rather than just turning off the
messenger service you need to plug the hole in your network security which
allows the messages through.

You don't just ignore a smoke alarm when it goes off, after all, you look to
see what and where from the smoke that triggered it is at!

Rob ms mvp