Local Security Overriding GP?

[Ben Blackmore]

Hi,

I'm having a problem with security on some of our PCs. Most work ok, but a
few seem to have their local default security settings overriding our group
policy settings.
In our GP under computer configuration we've set password history to 5,
length to 6, and complexity to enable. However some users have been able to
enter passwords of less than 6 charactors, some even blank.
If you open the local security settings on the offending machines, there is
'local setting' and 'effective setting' effective settings are set to the GP
settings, so it appears the policy is being enforced. But local settings are
set to password history 0, password length 0 and complexity disabled (all
the defaults). I thought effective setting was what is actually being
enforced on the computer, why can users still have blank passwords, when
effective settings say it has to be 6 or more?

We're using Win2k Pro clients, logging onto a Win2k server domain & AD, all
with SP4

Ben

 

[Bojidar Alexandrov]

Are they logging in to domain or locally?

 

[Chriss3]

Hello Ben.

Where was this GPO applied? Password Policies can only be applied to Group
Policies linked to the domain level, if you apply a such setting in a GPO
that is linked to an OU the settings only applies to local accounts on
effected clients, not to domain accounts.

 

[Guest]

Logging into the domain

 

[Guest]

Really? I didn't realise that! In our AD we have

Domain.co.uk
|______Builtin
|______Computers
|______Domain Controllers (etc...)
|______Domain Computers OU
|______Dept No1 PCs <--- Policy is applied here!
|______Dept No2 PCs
|______Domain Users OU
|______Dept No1
|______Dept No2

Does this mean the password policy won't work when applied to 'Dept No1 PCs', and I have to apply it to the root domain GPO?
We have created another OU specifically for the PCs, we found leaving the PCs in the original 'Computers' OU (just below Builtin), meant that we couldn't apply GPs, I don't think that Computers folder is a true OU (or am I wrong) as you can't apply any GPs to it. So we created a specific OU to contain all the PCs so we could apply GPs to them.
We are running SUS 1.1 which has to be setup via GP in the computer config section, and that is applied to the PCs and works fine. So I know the policy is being enforced.
Ben

 

[Chriss3]

That's the case,

The Password Policy are domain wide and if this setting is set at OU level
it will be applied to local accounts and ignored by domain users.

If you need another password policy, you have to deploy another domain.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

Really? I didn't realise that! In our AD we have

Domain.co.uk
|______Builtin
|______Computers
|______Domain Controllers (etc...)
|______Domain Computers OU
|______Dept No1 PCs <--- Policy is applied here!
|______Dept No2 PCs
|______Domain Users OU
|______Dept No1
|______Dept No2

Does this mean the password policy won't work when applied to 'Dept No1

PCs', and I have to apply it to the root domain GPO?

We have created another OU specifically for the PCs, we found leaving the

PCs in the original 'Computers' OU (just below Builtin), meant that we
couldn't apply GPs, I don't think that Computers folder is a true OU (or am
I wrong) as you can't apply any GPs to it. So we created a specific OU to
contain all the PCs so we could apply GPs to them.

We are running SUS 1.1 which has to be setup via GP in the computer config

section, and that is applied to the PCs and works fine. So I know the policy
is being enforced.

 

[Ben Blackmore]

Chris,

I have just check the root domain GPO, and it has simular settings as the
Computers OU. Password age was set to 42 days, password length was set to 6,
and complex password was disabled. So users still shouldn't have been able
to enter a password of less than 6 charactors/leave blank.

Its very strange!

Ben

 

[Ben Blackmore]

Hi,

After applying the password policy to the domain controller last night, I've
come in this morning, logged in, and tried to change my password to 'test'
(which it shouldn't let me do being less than 6 characters). However it did
let me do it, so for some reason the policy is still not taking effect! Any
ideas? I've checked no OU have inheritance blocked or other settings
defined.

Ben

 

[Ben Blackmore]

Hi,

I think I have fixed this now, after looking at some of the error logs I
figured the secedit.sdb batabase was corrupt, so I ran

esentutl /p c:\winnt\security\database\secedit.sdb /v /x

And it seemed to fixed the problem, after running

secedit /refreshpolicy machine_policy /enforce

I refreshed event viewer and it said the policy had been successfully
applied!
I have been testing some of the settings since then, and I've found that the
password policy has to be set at the very top of the AD tree, not on the
domain controller OU policy. I tested this by setting password complexity to
the DC GP but disabling it on the domain GP and it took the domain settings,
then I switched them both around, and it still took the domain settings,
same if you disable the domain setting, so its neither enabled or disabled,
it just leaves it as disabled, without picking up the DC GP settings.

Ben

 

[ptwilliams]

That's great news!

Glad you got it sorted out.

I'll make a mental not of the corrupt security database ;-)


Paul.
_____________________________

 

[Guest]

Just a couple of quick questions here
1. You set your password policy on the Default Domain policy right? As AD is desinged the password policy should be set only at Default Domain Policy

2. Are the offending machines only the XP machines. On the XP box you could do a gpupdate /force from the command line and check for a 1704 event id in the applog.

3. If you were to slightly alter the Password Pol slightly to say require atleast 6 chars and then reboot the xp box , and on logon check the local policy on xp if the effective string has been infact modified.