Group Policy doesn't take effect for Password Complexity

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I edited the Group Policy in our new network running on Windows 2003 so that
our users can use a password they used recently -- as not being able to use
one of the last 24 passwords would definitely cause riots in our organization!

However, when I try to set a new password and try to use a password I'd
previously used, my password still gets rejected. What am I doing wrong?
 
Sam,

Are you configuring the Password policy within the Default Domain policy
? The policy has to be set at the Domain level and also watch for processing
order. If you have created a new policy with your account policy inside and
it displays beneah the Default Domain Policy it will get processed first and
then the Default Domain Policy which could be reverting you back to the
standard. Also ensure that you have allowed group policy to update on your
Domain Controllers (5 mins) or use gpupdate.

Attached is a link covering configuring Account Policy: This may help select
the policies you want and do not want

http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/strngpw.mspx

Dave Britt
 
Dave,

Thanks for your response. I'm editing Default Domain Policy under Computer
Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy. I had disabled it. Should I uncheck "Define this policy"
instead?

Also even if I select "Define this policy" it doesn't allow me to define it.
I only see Enable and Disable options. The KB article you suggested talks
about being able to edit the settings of the policy. I'm not using
GPWalkThrough but I certainly don't have the ability to set password
complexity settings.

--
Thanks,

Sam


Dave Britt said:
Sam,

Are you configuring the Password policy within the Default Domain policy
? The policy has to be set at the Domain level and also watch for processing
order. If you have created a new policy with your account policy inside and
it displays beneah the Default Domain Policy it will get processed first and
then the Default Domain Policy which could be reverting you back to the
standard. Also ensure that you have allowed group policy to update on your
Domain Controllers (5 mins) or use gpupdate.

Attached is a link covering configuring Account Policy: This may help select
the policies you want and do not want

http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/strngpw.mspx

Dave Britt
Click to expand...
 
Sam,

Select the "Define this policy setting" option, and set the passwords
remembered property to 0. This should disable the password history
policy.


Dave,

Thanks for your response. I'm editing Default Domain Policy under Computer
Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy. I had disabled it. Should I uncheck "Define this policy"
instead?

Also even if I select "Define this policy" it doesn't allow me to define it.
I only see Enable and Disable options. The KB article you suggested talks
about being able to edit the settings of the policy. I'm not using
GPWalkThrough but I certainly don't have the ability to set password
complexity settings.
Click to expand...
 
Hi,

That seems to be my problem. Under Define this policy, I only have Enable or
Disable options. It doesn't let me set the specifics of the policy. Am I not
using the right tool?
 
It sounds like you are doing everything correctly from the GPO Editor.
Try to open the GPO Editor from another DC to see if that works.
 
Hi,

I was trying to administer GPO from my XP machine. Upon reading your
response, I went to our DCs to edit Default Domain Policy. I have the same
results. If I check define this policy, the only option I have is Enable or
Disable. By the way, although I disabled it, it's still asking me to come up
with a more complicated password. What am I missing here?
 
It sounds like you are editing the "Password must meet complexity
requirements" option. This controls password complexity, but not
password history. The one you want to edit is "Enforce password
history"

One other thing, Microsoft advises against editing the default domain
policy. You should put all your changes in a new policy.
 
Hi,

I don't see Enforce Password History. Here are the policies listed in the
Domain Policy...
Maximum password age 42 days
Minimum password age 1 day
Minimum password length 7 characters
Password must meet complexity requirements (currently) disabled
Store passwords using reversible encryption disabled.

Is it one of these I need to edit? If not, where do find "Enable Passord
History" policy?

Thanks for all your help.
 
I'm going to post a separate question, let's see if anyone else has had a
similar problem. Also, if I disable the policy, why would it still ask me to
come up with a more complex password? This is an out-of-the-box installation.
 
Back
Top