Password policy problem

[Chris Coates]

I have a Windows 2000 AD domain. The default domain policy said that the
minimum password length was to be 6 characters. Because of some problems
involving a new acquisition I needed to temporarily change the minimum to 5
characters. Using the GPMC I changed the policy to 5 characters.
I made that change 24 hours ago, I have refreshed the machine policy on all
DCs and I have looked in GPMC at the default domain policy and the minimum
length is showing 5 characters. I have looked at the policy from all DC's
and all looks fine. However when you try to create a user account with a
password length of 5 characters the error still comes up that says "Windows
cannot set the password because: The password does not meet the password
policy requirements"

What am I missing?

Thanks

ccoates

 

[Chriss3]

Hows this setting in the Domain Security Policy snapin. you can access this
from an domain controller under administrative tools.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Steven L Umbach]

Make sure that password complexity requirement is also disabled [undefined will not
work] in the domain policy since it requires passwords to be a minimum of six
characters. --- Steve

 

[Jordan]

At times, values shown in GPMC and GPResult might not be the actual settings
configured. On any DC, ran the followig and take a look at the output.txt.

secedit /export /mergedPolicy /CFG output.txt

 

[Chris Coates]

Everything under the domain controller security policy is not defined

 

[Chris Coates]

It was disabled

Chris

Make sure that password complexity requirement is also disabled [undefined will not
work] in the domain policy since it requires passwords to be a minimum of six
characters. --- Steve

I have a Windows 2000 AD domain. The default domain policy said that the
minimum password length was to be 6 characters. Because of some problems
involving a new acquisition I needed to temporarily change the minimum to 5
characters. Using the GPMC I changed the policy to 5 characters.
I made that change 24 hours ago, I have refreshed the machine policy on all
DCs and I have looked in GPMC at the default domain policy and the minimum
length is showing 5 characters. I have looked at the policy from all DC's
and all looks fine. However when you try to create a user account with a
password length of 5 characters the error still comes up that says "Windows
cannot set the password because: The password does not meet the password
policy requirements"

What am I missing?

Thanks

ccoates

 

[Chris Coates]

I ran it but I think the needed information is not there. Everything in
output.txt is related to Local Policies - Security Options. None of the
information in output.txt contains anything from Account Policies - Password
Policies.

Chris

 

[Jordan]

What is the exact command that you have executed and did you execute it on a
DC?
Can you cut-n-paste the output that you got.

There should be a section similar to the following:

[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 1
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0

 

[Chris Coates]

Jordan

The exact text was "secedit /export /mergedPolicy /CFG output.txt" and it
was run on a DC.
The Output was:

[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Default Security Settings. (Windows 2000 Server)
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 3
AuditAccountManage = 2
AuditProcessTracking = 0
AuditDSAccess = 2
AuditAccountLogon = 3
CrashOnAuditFull = 0
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan
nel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan
nel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk
ey=4,0
machine\system\currentcontrolset\services\netlogon\parameters\requiresignors
eal=4,0
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor
dchange=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi
resecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
esecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl
eplaintextpassword=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec
uritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu
ritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc
edlogoff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect=4,15
machine\system\currentcontrolset\control\session manager\protectionmode=4,1
machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,1
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi
thoutlogon=4,0
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
etext=1,
machine\software\microsoft\windows\currentversion\policies\system\legalnotic
ecaption=1,
machine\software\microsoft\windows\currentversion\policies\system\dontdispla
ylastusername=4,0
machine\software\microsoft\windows\currentversion\policies\system\disablecad
=4,0
machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0
machine\software\microsoft\non-driver signing\policy=3,0
machine\software\microsoft\driver signing\policy=3,1
[Privilege Rights]
seassignprimarytokenprivilege =
seauditprivilege =
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =
*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-18278253
46-2013803672-2196,*S-1-5-21-2137801972-1827825346-2013803672-1498
sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-11,*S-1-1-0
secreateglobalprivilege = *S-1-5-32-544,*S-1-5-6
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege = *S-1-5-32-544
secreatetokenprivilege =
sedebugprivilege =
*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright =
*S-1-5-21-2137801972-1827825346-2013803672-2196
sedenynetworklogonright =
sedenyservicelogonright =
seenabledelegationprivilege = *S-1-5-32-544
seimpersonateprivilege = *S-1-5-32-544,*S-1-5-6
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seinteractivelogonright =
*S-1-5-32-544,*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-21378
01972-1827825346-2013803672-500,*S-1-5-21-2137801972-1827825346-2013803672-3
675
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =
*S-1-5-21-2137801972-1827825346-2013803672-4845,*S-1-5-21-2137801972-1827825
346-2013803672-512,*S-1-5-11
senetworklogonright = *S-1-1-0,*S-1-5-11,*S-1-5-32-544
seprofilesingleprocessprivilege = *S-1-5-32-544
seremoteshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =
*S-1-5-21-2137801972-1827825346-2013803672-2196,*S-1-5-21-2137801972-1827825
346-2013803672-1498,*S-1-5-32-544
seshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,SYSTEM
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
seundockprivilege = *S-1-5-32-544

Thanks

Chris

What is the exact command that you have executed and did you execute it on a
DC?
Can you cut-n-paste the output that you got.

There should be a section similar to the following:

[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 1
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0

I ran it but I think the needed information is not there. Everything in
output.txt is related to Local Policies - Security Options. None of the
information in output.txt contains anything from Account Policies - Password
Policies.

Chris


minimum
to

with

a

 

[Jordan]

Hi Chris,

I've spend a few hours testing this, just can't get over with it
I manage to reproduce a situation similar to what you are experiencing (very
werid though).
Hopefully your situation is same as mine. Cut the story short:

1. Check if 'Block Inheritance' has been defined for you Default DOMAIN
CONTROLLER Policy.
=>If it is, uncheck the Block Inheritance flag.
2. Run gpresult on your DC. Is the Default Domain Policy applied?
=>Yes & No doesn't really matter. If it's a No, it most probably caused by
(1). Once (1) is resolved, it shoudl be applied.
3. Run 'net accounts' on your DC.
=>The values should be indicating your old settings (i.e. 6 characters)
=>This is the value that will be used, regardless of what shows up on the
client machines.

Next,
4. Goto your Default DOMAIN CONTROLLER Policy and define the following:
Minimum Password Length - 0 Characters
Passwords must meet complexity requirements - Disabled
Store Password using reversible encryption for all users in the domain -
Disabled
5. Force a replication
6. Run 'secedit /refreshpolicy machine_policy /enforce' on the DCs.
7. Run 'net accounts' on the DC again.
=>The value shoudl be 5 now.
8. Run 'secedit /refreshpolicy machine_policy /enforce' on the client
machine.
9. Run 'net accounts' on the client machine.
=>It should be showing 5 as well.

Try changing the password.

Let me know if this works.

Good luck!

Jordan

The exact text was "secedit /export /mergedPolicy /CFG output.txt" and it
was run on a DC.
The Output was:

[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Default Security Settings. (Windows 2000 Server)
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 3
AuditAccountManage = 2
AuditProcessTracking = 0
AuditDSAccess = 2
AuditAccountLogon = 3
CrashOnAuditFull = 0
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechan

nel=4,1

machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechan

nel=4,1

machine\system\currentcontrolset\services\netlogon\parameters\requirestrongk

ey=4,0

machine\system\currentcontrolset\services\netlogon\parameters\requiresignors

eal=4,0

machine\system\currentcontrolset\services\netlogon\parameters\disablepasswor

dchange=4,0

machine\system\currentcontrolset\services\lanmanworkstation\parameters\requi

resecuritysignature=4,0

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl

esecuritysignature=4,1

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enabl

eplaintextpassword=4,0

machine\system\currentcontrolset\services\lanmanserver\parameters\requiresec

uritysignature=4,0

machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecu

ritysignature=4,0

machine\system\currentcontrolset\services\lanmanserver\parameters\enableforc

edlogoff=4,1

machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon

nect=4,15
machine\system\currentcontrolset\control\session

manager\protectionmode=4,1
machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,1
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
machine\software\microsoft\windows\currentversion\policies\system\shutdownwi

thoutlogon=4,0

machine\software\microsoft\windows\currentversion\policies\system\legalnotic

etext=1,

machine\software\microsoft\windows\currentversion\policies\system\legalnotic

ecaption=1,

machine\software\microsoft\windows\currentversion\policies\system\dontdispla

ylastusername=4,0

machine\software\microsoft\windows\currentversion\policies\system\disablecad
=4,0
machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0
machine\software\microsoft\non-driver signing\policy=3,0
machine\software\microsoft\driver signing\policy=3,1
[Privilege Rights]
seassignprimarytokenprivilege =
seauditprivilege =
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =
*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-18278253
46-2013803672-2196,*S-1-5-21-2137801972-1827825346-2013803672-1498
sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-11,*S-1-1-0
secreateglobalprivilege = *S-1-5-32-544,*S-1-5-6
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege = *S-1-5-32-544
secreatetokenprivilege =
sedebugprivilege =
*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright =
*S-1-5-21-2137801972-1827825346-2013803672-2196
sedenynetworklogonright =
sedenyservicelogonright =
seenabledelegationprivilege = *S-1-5-32-544
seimpersonateprivilege = *S-1-5-32-544,*S-1-5-6
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seinteractivelogonright =
*S-1-5-32-544,*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-1827825346-2013803672-500,*S-1-5-21-2137801972-1827825346-2013803672-3
675
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =
*S-1-5-21-2137801972-1827825346-2013803672-4845,*S-1-5-21-2137801972-1827825
346-2013803672-512,*S-1-5-11
senetworklogonright = *S-1-1-0,*S-1-5-11,*S-1-5-32-544
seprofilesingleprocessprivilege = *S-1-5-32-544
seremoteshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =
*S-1-5-21-2137801972-1827825346-2013803672-2196,*S-1-5-21-2137801972-1827825
346-2013803672-1498,*S-1-5-32-544
seshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,SYSTEM
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
seundockprivilege = *S-1-5-32-544

Thanks

Chris

What is the exact command that you have executed and did you execute it

on

a
DC?
Can you cut-n-paste the output that you got.

There should be a section similar to the following:

[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 1
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0

I ran it but I think the needed information is not there. Everything in
output.txt is related to Local Policies - Security Options. None of the
information in output.txt contains anything from Account Policies - Password
Policies.

Chris


At times, values shown in GPMC and GPResult might not be the actual
settings
configured. On any DC, ran the followig and take a look at the output.txt.

secedit /export /mergedPolicy /CFG output.txt


I have a Windows 2000 AD domain. The default domain policy said

that
the

minimum password length was to be 6 characters. Because of some problems
involving a new acquisition I needed to temporarily change the minimum
to
5
characters. Using the GPMC I changed the policy to 5 characters.
I made that change 24 hours ago, I have refreshed the machine

policy
on

all
DCs and I have looked in GPMC at the default domain policy and the
minimum
length is showing 5 characters. I have looked at the policy from all
DC's
and all looks fine. However when you try to create a user account

with

a
password length of 5 characters the error still comes up that says
"Windows
cannot set the password because: The password does not meet the password
policy requirements"

What am I missing?

Thanks

ccoates

 

[Chris Coates]

Jordan

That was exactly the problem!!
I set it just as you suggested and it worked perfectly!
I should have looked at GPResult sooner, that would have helped narrow it
down.
Thank you for you help and time on this issue.

Chris

Hi Chris,

I've spend a few hours testing this, just can't get over with it
I manage to reproduce a situation similar to what you are experiencing (very
werid though).
Hopefully your situation is same as mine. Cut the story short:

1. Check if 'Block Inheritance' has been defined for you Default DOMAIN
CONTROLLER Policy.
=>If it is, uncheck the Block Inheritance flag.
2. Run gpresult on your DC. Is the Default Domain Policy applied?
=>Yes & No doesn't really matter. If it's a No, it most probably caused by
(1). Once (1) is resolved, it shoudl be applied.
3. Run 'net accounts' on your DC.
=>The values should be indicating your old settings (i.e. 6 characters)
=>This is the value that will be used, regardless of what shows up on the
client machines.

Next,
4. Goto your Default DOMAIN CONTROLLER Policy and define the following:
Minimum Password Length - 0 Characters
Passwords must meet complexity requirements - Disabled
Store Password using reversible encryption for all users in the domain -
Disabled
5. Force a replication
6. Run 'secedit /refreshpolicy machine_policy /enforce' on the DCs.
7. Run 'net accounts' on the DC again.
=>The value shoudl be 5 now.
8. Run 'secedit /refreshpolicy machine_policy /enforce' on the client
machine.
9. Run 'net accounts' on the client machine.
=>It should be showing 5 as well.

Try changing the password.

Let me know if this works.

Good luck!

Jordan

The exact text was "secedit /export /mergedPolicy /CFG output.txt" and it
was run on a DC.
The Output was:

[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Default Security Settings. (Windows 2000 Server)
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 3
AuditAccountManage = 2
AuditProcessTracking = 0
AuditDSAccess = 2
AuditAccountLogon = 3
CrashOnAuditFull = 0
[Registry Values]

machine\system\currentcontrolset\services\netlogon\parameters\signsecurechanmachine\system\currentcontrolset\services\netlogon\parameters\sealsecurechanmachine\system\currentcontrolset\services\netlogon\parameters\requirestrongkmachine\system\currentcontrolset\services\netlogon\parameters\requiresignorsmachine\system\currentcontrolset\services\netlogon\parameters\disablepasswormachine\system\currentcontrolset\services\lanmanworkstation\parameters\requimachine\system\currentcontrolset\services\lanmanworkstation\parameters\enablmachine\system\currentcontrolset\services\lanmanworkstation\parameters\enablmachine\system\currentcontrolset\services\lanmanserver\parameters\requiresecmachine\system\currentcontrolset\services\lanmanserver\parameters\enablesecumachine\system\currentcontrolset\services\lanmanserver\parameters\enableforcmachine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon

manager\protectionmode=4,1
machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,1
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0

machine\software\microsoft\windows\currentversion\policies\system\shutdownwimachine\software\microsoft\windows\currentversion\policies\system\legalnoticmachine\software\microsoft\windows\currentversion\policies\system\legalnoticmachine\software\microsoft\windows\currentversion\policies\system\dontdisplamachine\software\microsoft\windows\currentversion\policies\system\disablecad

=4,0
machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0
machine\software\microsoft\non-driver signing\policy=3,0
machine\software\microsoft\driver signing\policy=3,1
[Privilege Rights]
seassignprimarytokenprivilege =
seauditprivilege =
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =

*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-18278253

46-2013803672-2196,*S-1-5-21-2137801972-1827825346-2013803672-1498
sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-11,*S-1-1-0
secreateglobalprivilege = *S-1-5-32-544,*S-1-5-6
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege = *S-1-5-32-544
secreatetokenprivilege =
sedebugprivilege =
*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright =
*S-1-5-21-2137801972-1827825346-2013803672-2196
sedenynetworklogonright =
sedenyservicelogonright =
seenabledelegationprivilege = *S-1-5-32-544
seimpersonateprivilege = *S-1-5-32-544,*S-1-5-6
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seinteractivelogonright =

*S-1-5-32-544,*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-1827825346-2013803672-500,*S-1-5-21-2137801972-1827825346-2013803672-3

675
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =

*S-1-5-21-2137801972-1827825346-2013803672-4845,*S-1-5-21-2137801972-1827825

346-2013803672-512,*S-1-5-11
senetworklogonright = *S-1-1-0,*S-1-5-11,*S-1-5-32-544
seprofilesingleprocessprivilege = *S-1-5-32-544
seremoteshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =

*S-1-5-21-2137801972-1827825346-2013803672-2196,*S-1-5-21-2137801972-1827825

346-2013803672-1498,*S-1-5-32-544
seshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,SYSTEM
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
seundockprivilege = *S-1-5-32-544

Thanks

Chris

it

on

a
DC?
Can you cut-n-paste the output that you got.

There should be a section similar to the following:

[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 1
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0


I ran it but I think the needed information is not there.

Everything

in account
with

 

[Jordan]

Wow! So glad to hear that.
Thankfully my time wasn't wasted.

cheers!

Jordan

That was exactly the problem!!
I set it just as you suggested and it worked perfectly!
I should have looked at GPResult sooner, that would have helped narrow it
down.
Thank you for you help and time on this issue.

Chris

Hi Chris,

I've spend a few hours testing this, just can't get over with it
I manage to reproduce a situation similar to what you are experiencing (very
werid though).
Hopefully your situation is same as mine. Cut the story short:

1. Check if 'Block Inheritance' has been defined for you Default DOMAIN
CONTROLLER Policy.
=>If it is, uncheck the Block Inheritance flag.
2. Run gpresult on your DC. Is the Default Domain Policy applied?
=>Yes & No doesn't really matter. If it's a No, it most probably caused by
(1). Once (1) is resolved, it shoudl be applied.
3. Run 'net accounts' on your DC.
=>The values should be indicating your old settings (i.e. 6 characters)
=>This is the value that will be used, regardless of what shows up on the
client machines.

Next,
4. Goto your Default DOMAIN CONTROLLER Policy and define the following:
Minimum Password Length - 0 Characters
Passwords must meet complexity requirements - Disabled
Store Password using reversible encryption for all users in the domain -
Disabled
5. Force a replication
6. Run 'secedit /refreshpolicy machine_policy /enforce' on the DCs.
7. Run 'net accounts' on the DC again.
=>The value shoudl be 5 now.
8. Run 'secedit /refreshpolicy machine_policy /enforce' on the client
machine.
9. Run 'net accounts' on the client machine.
=>It should be showing 5 as well.

Try changing the password.

Let me know if this works.

Good luck!

and

it

was run on a DC.
The Output was:

[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Default Security Settings. (Windows 2000 Server)
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 3
AuditAccountManage = 2
AuditProcessTracking = 0
AuditDSAccess = 2
AuditAccountLogon = 3
CrashOnAuditFull = 0
[Registry Values]

machine\system\currentcontrolset\services\netlogon\parameters\signsecurechanmachine\system\currentcontrolset\services\netlogon\parameters\sealsecurechanmachine\system\currentcontrolset\services\netlogon\parameters\requirestrongkmachine\system\currentcontrolset\services\netlogon\parameters\requiresignorsmachine\system\currentcontrolset\services\netlogon\parameters\disablepasswormachine\system\currentcontrolset\services\lanmanworkstation\parameters\requimachine\system\currentcontrolset\services\lanmanworkstation\parameters\enablmachine\system\currentcontrolset\services\lanmanworkstation\parameters\enablmachine\system\currentcontrolset\services\lanmanserver\parameters\requiresecmachine\system\currentcontrolset\services\lanmanserver\parameters\enablesecumachine\system\currentcontrolset\services\lanmanserver\parameters\enableforcmachine\system\currentcontrolset\services\lanmanserver\parameters\autodisconmachine\software\microsoft\windows\currentversion\policies\system\shutdownwimachine\software\microsoft\windows\currentversion\policies\system\legalnoticmachine\software\microsoft\windows\currentversion\policies\system\legalnoticmachine\software\microsoft\windows\currentversion\policies\system\dontdisplamachine\software\microsoft\windows\currentversion\policies\system\disablecad

=4,0
machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0
machine\software\microsoft\non-driver signing\policy=3,0
machine\software\microsoft\driver signing\policy=3,1
[Privilege Rights]
seassignprimarytokenprivilege =
seauditprivilege =
sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
sebatchlogonright =

*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-18278253*S-1-5-32-544,*S-1-5-21-2137801972-1827825346-2013803672-512,*S-1-5-21-2137801972-1827825346-2013803672-500,*S-1-5-21-2137801972-1827825346-2013803672-3*S-1-5-21-2137801972-1827825346-2013803672-4845,*S-1-5-21-2137801972-1827825*S-1-5-21-2137801972-1827825346-2013803672-2196,*S-1-5-21-2137801972-1827825

346-2013803672-1498,*S-1-5-32-544
seshutdownprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,SYSTEM
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege = *S-1-5-21-2137801972-1827825346-2013803672-512
seundockprivilege = *S-1-5-32-544

Thanks

Chris





What is the exact command that you have executed and did you execute

it

on
a
DC?
Can you cut-n-paste the output that you got.

There should be a section similar to the following:

[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 1
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0


I ran it but I think the needed information is not there.

Everything

in
output.txt is related to Local Policies - Security Options. None

of
the

information in output.txt contains anything from Account Policies -
Password
Policies.

Chris


At times, values shown in GPMC and GPResult might not be the actual
settings
configured. On any DC, ran the followig and take a look at the
output.txt.

secedit /export /mergedPolicy /CFG output.txt


I have a Windows 2000 AD domain. The default domain policy

said
that

the
minimum password length was to be 6 characters. Because of some
problems
involving a new acquisition I needed to temporarily change the
minimum
to
5
characters. Using the GPMC I changed the policy to 5 characters.
I made that change 24 hours ago, I have refreshed the machine policy
on
all
DCs and I have looked in GPMC at the default domain policy and the
minimum
length is showing 5 characters. I have looked at the policy

from
all

DC's
and all looks fine. However when you try to create a user account
with
a
password length of 5 characters the error still comes up that says
"Windows
cannot set the password because: The password does not meet the
password
policy requirements"

What am I missing?

Thanks

ccoates