Password policy settings not applied to clients

[Steve Stormont]

We have a Windows 2000 Native Active Directory with 3 controllers. We
changed the Password Policy in the "Default Domain Policy" to the following
settings:

Enforce password history = 10
MAx password age = 180
Min password age = 0
Min password length = 7
Passwords must meet complexity requirements = Enabled

However when a user changes their password, the criteria above are not
used. We tried to set a logon banner about the new password requirements
and that setting replicated to the desktops and are displayed when the user
presses Ctrl + Alt +Del.

I logged into each server and they all have the settings in the default
domain policy, so that replicated fine. I ran dcdiag and all tests passed
for all servers. GPOTool also lists all six policies as being OK, with a
mystery 7th policy that does not appear in the policy list and was last
modified in 2004 (can't figure out how to delete it, see my other post)

We made these changes this morning and they still haven't taken. We've
tried powering off various PCs, running secedit /refreshpolicy
machine_policy and user_policy but that didn't help.

What can we do?

Steve

 

[Denis Wong @ Hong Kong]

Hi Steve,

Pls check Block Policy Inheritance first.

Changes Are Not Applied When You Change the Password Policy
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

br,
Denis

 

[Lisa Stormont]

That option was not checked anywhere. I was finally able to get the new
password settings out by doing one of the following (but I'm not sure which)

1) On one of the domain controllers, I ran :

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

I don't think that was what fixed it as the policy settings had
propagated to all of the other Domain Controllers, they just weren't getting
to the clients. Not sure why the above command would have fixed it.

2) Installed Group Policy Management Console on a Windows XP computer. I
drilled down to domains -> omni.imsweb.com -> Group Policy Objects and I see
7 objects, one of them is "Default Domain Controllers Policy". When I click
on that a message comes up saying "The system cannot find the file
specified.". I then right-clicked on "Default Domain Controllers Policy"
and chose the disabled option.

At some point after doing one of those things, the password policy made it
to the client. Of course, I didn't wait a large amount of time between
"fixes", so I don't know which one actually fixed the problem.

I have since "Enabled" the missing "Default Domain Controllers Policy" and
after doing so, removed a logon banner which I had set and that change made
it out to the clients with no problem.

Steve

 

[Denis Wong @ Hong Kong]

Hi Steve,

1) This just refreshes the machine policy on your DC. That's nothing to do
with your clients.

2) Yes, you have missing DDCP. On your other post, I suggested you to reset
your missing policy. This is probably the problem point.

br,
Denis