Password complexity

[Guest]

With Win2k AD, I enable the password complexity within a
GPO but the passwords are still allowing to be changed to
any format. Is there supposed to be a passfilt.dll
included with win2k? If not what am I missing?

Thank you

 

[Jody Flett]

the passfilt.dll is built in to Windows 2000 so it should be ok, are you
enabling this in the Default Domain Policy? are there any policy application
issues on the DC's?

More info on setting password complexity at

http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp

 

[Guest]

Currently we are using this in the Defaut domain policy.
There have been no other issues with policy application. I
can successfully set the passwords to expire within the
same GPO.

 

[Jody Flett]

Are there any conflicting setting in the Default Domain Controllers policy
or in another policy that applies the the DC's....?

You could try setting no override on the Default Domain Policy to ensure
that the policy is applied.... of course unless block is set lower down....

Cheers

Jody

 

[Buz [MSFT]]

Password polices are only applied at the Domain level. You cant have
seperate password polices for different OUs. You have one password policy
for your domain.


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Jody Flett]

Hi Buz.... thanks for your input, this is very true, and also as the
original poster has pointed out this is where they are trying to set the
policy, so it should all work ..... right?

The original issue is that they are setting password complexity at the
Domain Level in the Default Domain Policy and they can still set non complex
passwords, but they can also set other policies in the same Default Domain
Policy such as password expiration which does apply.

On the face of it this shows that the DD policy is getting applied, however
there would appear to be a problem with the complexity setting.

Since you can set a password policy anywhere you like it just doesn't get
applied at a domain level, it gets applied to the machine that is recieving
the policy, and will apply to the machine's local accounts database and not
the Domain one and also, I have come across issues in the past where a
conflicting setting in the DDC policy or another policy that applies to the
Domain Controllers has led to an inconsistant Password policy in the Domain.
Setting no override maybe a quick way to enforce the settings set in the DD
Policy as a troubleshooting step.

Any other suggestions that may help with the original problem?

Thanks

Jody

 

[\Richard McCall [MSFT]\]

Use Net Accounts at a command prompt on a DC. Make sure you are getting 1704
event in the application log. Make sure any other policies that are applying
to the DC are not set to Block Inheritance