Password policy

Cheryl Mutschler · Aug 2, 2004

Windows 2000 Server
I'm not very familar with Group Policies so please bear with me.
I've created a policy that forces a password change every 30 days, with a
minimum length and history for an OU (right now I'm the only user in the
OU). I would also like for this policy to force the first password change at
the next logon. Given the policy, with no other changes, I won't have to
change my password until 30 days from today, correct?? If I have the policy
in place and also enable "User must change password at next logon", then I
will be forced to change my password. After testing, I did have to change my
password but the policy did not take effect - the length and history didn't
take. Should the policy be take effect or not until the 30 days? The goal is
to have the policy take effect and force password change at next logon.
Thank you,
Cheryl

Mark Renoden [MSFT] · Aug 3, 2004

Hi Cheryl

You can't set password policy on an OU. Only at the domain level is this
allowed so that the entire domain is subject to the same settings.

A good reference is:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Cheryl Mutschler · Aug 3, 2004

That's interesting because it's working. It seems as though I didn't give
the policy enough
time to replicate. I tried using the same password when I was prompted to
change it and a message popped up containing the exact password requirements
that are in the Group Policy that I created at the OU level. But, I am still
having a problem and maybe it's because of what you mentioned; Citrix users
logging in through NFuse are getting a credentials error with no option to
change their password. This same error does not occur if the user logs in
through Remote Desktop to the MetaFrame server. This question may be best
for Citrix.

Another question for you/the newsgroup, since this 'shouldn't work' at the
OU level, what would you suggest? Doing the same thing, force the user to
change the password at next logon by enabling "User must change..." but move
the policy to the domain level? Is there a way to force a password change
without enabling "User must change.." and/or do you think it should it be
done differently?

Thank you,
C

Mark Renoden said:
Hi Cheryl

You can't set password policy on an OU. Only at the domain level is this
allowed so that the entire domain is subject to the same settings.

A good reference is:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Cheryl Mutschler said:

Windows 2000 Server
I'm not very familar with Group Policies so please bear with me.
I've created a policy that forces a password change every 30 days, with a
minimum length and history for an OU (right now I'm the only user in the
OU). I would also like for this policy to force the first password change
at
the next logon. Given the policy, with no other changes, I won't have to
change my password until 30 days from today, correct?? If I have the
policy
in place and also enable "User must change password at next logon", then I
will be forced to change my password. After testing, I did have to change
my
password but the policy did not take effect - the length and history
didn't
take. Should the policy be take effect or not until the 30 days? The goal
is
to have the policy take effect and force password change at next logon.
Thank you,
Cheryl

Click to expand...

Mark Renoden [MSFT] · Aug 3, 2004

Hi Cheryl

I think I'd just move the policy settings to the domain level and let things
run their course. When the user's current password (which complies with
your policy) becomes 30 days old, they'll be prompted to change it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Cheryl Mutschler said:
That's interesting because it's working. It seems as though I didn't give
the policy enough
time to replicate. I tried using the same password when I was prompted to
change it and a message popped up containing the exact password
requirements
that are in the Group Policy that I created at the OU level. But, I am
still
having a problem and maybe it's because of what you mentioned; Citrix
users
logging in through NFuse are getting a credentials error with no option to
change their password. This same error does not occur if the user logs in
through Remote Desktop to the MetaFrame server. This question may be best
for Citrix.

Another question for you/the newsgroup, since this 'shouldn't work' at the
OU level, what would you suggest? Doing the same thing, force the user to
change the password at next logon by enabling "User must change..." but
move
the policy to the domain level? Is there a way to force a password change
without enabling "User must change.." and/or do you think it should it be
done differently?

Thank you,
C

Mark Renoden said:

Hi Cheryl

You can't set password policy on an OU. Only at the domain level is this
allowed so that the entire domain is subject to the same settings.

A good reference is:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Cheryl Mutschler said:

Windows 2000 Server
I'm not very familar with Group Policies so please bear with me.
I've created a policy that forces a password change every 30 days, with a
minimum length and history for an OU (right now I'm the only user in
the
OU). I would also like for this policy to force the first password change
at
the next logon. Given the policy, with no other changes, I won't have
to
change my password until 30 days from today, correct?? If I have the
policy
in place and also enable "User must change password at next logon",
then I
will be forced to change my password. After testing, I did have to change
my
password but the policy did not take effect - the length and history
didn't
take. Should the policy be take effect or not until the 30 days? The goal
is
to have the policy take effect and force password change at next logon.
Thank you,
Cheryl

Click to expand...

Click to expand...