G
Guest
I have also posted this in the security section as I cant be sure where this
problem is occuring!!
I have a slightly quirky problem. I have a pure Windows 2000 Domain with 2
domain controllers running Active Directory. Neither of the servers show any
problems with AD replication, Group policy replication, Browser, DNS,
Netlogon, Sysvol etc etc…. Nothing in any of the event logs apart from the
standard "Ignore this issue its not a problem" type errors e.g event 10006
DCOM got error "Class not registered " from the computer XXXX when attempting
to activate the server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event 36871
A fatal error occurred while creating an SSL server credential.
DNS is happy; NTFRS is happy etc etc.... Basically no problems show up.
The problem I have occurring is that all of a sudden the servers are
requiring complex passwords e.g. if you change a password or create a new
user account etc.
I have used GPOTOOL to check that group policy replication is happy, which
it is. I have looked at the default domain policy as well as the default
domain controller policy and re-tried enabling and disabling all bits of the
Password Policy section, in all variations (plus used secedit to apply the
settings). The Domain policy is blocked from inheriting the default domain
policy as it should be.
However, if you look at the local security policy > password policy on
either domain controller, it is always listed as NOT DEFINED.
I have also attempted setting the local security policy, and that still has
no effect.
Basically, all sections of the group policy will make a change to the local
security policy, BUT, it is not possible to set any of the settings in the
Password Policy section. This applies to any changes you make in the Group
Policy(s) at any level and also to the local security policy. FYI... there
are only the 2 policies on the server! If you change any other section of a
policy (domain, local, domain cont), it will replicate between the servers
and it will apply that section of the policy to any area except the Password
Policy, which wont change!
I have re-applied the service pack, as a safety measure and this is on a
live domain that has been working fine for 2 years now.... so how the change
has come about, I am uncertain!
This problem has only come to light as I had to create a new user, which I
couldn’t do without a complex password being set. However as I cannot find
out what is really going on with the password policy, I cant tell how long it
will now be before 300+ users are going to be asked to change their password,
and you can imagine the chaos that will happen :-(
As I have now spent 15 hours trying to resolve this, with all possible
scenarios of applying a password policy (either disabling, enabling, not
defining...Domain policy, Domain Controller policy, Local Security policy
etc.etc..) has anyone any thoughts on this as I am completely baffled as to
where to look next and unfortunately, my customer isn’t going to accept that
"I thought their network needed its security beefing up, so I turned on
password complexity (sadly, as that would be a great easy option).
Another possibility would be if anyone knows exactly where to flick the
switch to disable this... Is it in that DLL file in system 32 that controls
password complexity.... or an encrypted registry key...or as unlikely as it
may be, Active directory through ADSI edit???
Any thoughts and suggestions would be more than welcome on this one!!
Thanks
Will Smith
problem is occuring!!
I have a slightly quirky problem. I have a pure Windows 2000 Domain with 2
domain controllers running Active Directory. Neither of the servers show any
problems with AD replication, Group policy replication, Browser, DNS,
Netlogon, Sysvol etc etc…. Nothing in any of the event logs apart from the
standard "Ignore this issue its not a problem" type errors e.g event 10006
DCOM got error "Class not registered " from the computer XXXX when attempting
to activate the server: {D99E6E73-FC88-11D0-B498-00A0C90312F3} OR event 36871
A fatal error occurred while creating an SSL server credential.
DNS is happy; NTFRS is happy etc etc.... Basically no problems show up.
The problem I have occurring is that all of a sudden the servers are
requiring complex passwords e.g. if you change a password or create a new
user account etc.
I have used GPOTOOL to check that group policy replication is happy, which
it is. I have looked at the default domain policy as well as the default
domain controller policy and re-tried enabling and disabling all bits of the
Password Policy section, in all variations (plus used secedit to apply the
settings). The Domain policy is blocked from inheriting the default domain
policy as it should be.
However, if you look at the local security policy > password policy on
either domain controller, it is always listed as NOT DEFINED.
I have also attempted setting the local security policy, and that still has
no effect.
Basically, all sections of the group policy will make a change to the local
security policy, BUT, it is not possible to set any of the settings in the
Password Policy section. This applies to any changes you make in the Group
Policy(s) at any level and also to the local security policy. FYI... there
are only the 2 policies on the server! If you change any other section of a
policy (domain, local, domain cont), it will replicate between the servers
and it will apply that section of the policy to any area except the Password
Policy, which wont change!
I have re-applied the service pack, as a safety measure and this is on a
live domain that has been working fine for 2 years now.... so how the change
has come about, I am uncertain!
This problem has only come to light as I had to create a new user, which I
couldn’t do without a complex password being set. However as I cannot find
out what is really going on with the password policy, I cant tell how long it
will now be before 300+ users are going to be asked to change their password,
and you can imagine the chaos that will happen :-(
As I have now spent 15 hours trying to resolve this, with all possible
scenarios of applying a password policy (either disabling, enabling, not
defining...Domain policy, Domain Controller policy, Local Security policy
etc.etc..) has anyone any thoughts on this as I am completely baffled as to
where to look next and unfortunately, my customer isn’t going to accept that
"I thought their network needed its security beefing up, so I turned on
password complexity (sadly, as that would be a great easy option).
Another possibility would be if anyone knows exactly where to flick the
switch to disable this... Is it in that DLL file in system 32 that controls
password complexity.... or an encrypted registry key...or as unlikely as it
may be, Active directory through ADSI edit???
Any thoughts and suggestions would be more than welcome on this one!!
Thanks
Will Smith