New Password Policy Implementation Problem

  • Thread starter Thread starter AAO
  • Start date Start date
A

AAO

Recently we implemented a password policy for our institution; however,
during our testing we noticed that on our production AD environment we were
able to implement the following settings via the Default Domain Controllers
Security Policy (DDCSP):
Enforce Password History
Minimum Password Length
Passwords must meet complexity Requirements

These policies were enforced for all domain users and we verified the
validity of these settings through client testing.

The 'Maximum Password Age' and the 'Minimum Password Age' would not apply to
the domain users when set from DDCSP and we needed to enforce this from the
Default Domain Security Policy (DDSP). Needless to say, I was very confused
as to why this worked. I tried these same settings on 2 different AD test
environments and they would not enforce at the DDCSP. My Question is has
anyone else seen this? Why did this work on our production environment?
Based on what I read this should not have worked but it did.

Our Production Setup:
(3) Windows 2000 Domain Controllers with SP4 and all of the latest hot fixes
running in Mixed Mode.

Our Test Environment:
(2) Windows 2000 DC's with SP4 and a couple of hot fixes

Our 2nd Test Environment:
(1) Windows 2000 DC with Service Pack 2 and several hot fixes

Based on all of the Microsoft Knowledge Base Articles and White papers I
could find I've learned that Account Policies such as password, Account
Lockout, and Kerberos Policies can only be enforced for domain users at the
DDSP. In addition I learned that only Auditing and User rights can be
enforced for Domain Controllers at the DDCSP.

AAO
 
Hi

As per:

http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dsscc_aut_xbby.asp

"Creating a password policy involves setting the following options in the
Default Domain Group Policy object. These policies, with the exception of
those settings related to password lifetime, are enforced on all users in a
domain."

In my experience, these apply to everyone from the DDSP. For example,
examine the defaults on a Windows Server 2003 DC ... all set from DDSP.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top