User password group policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Okay, we are running Server 2003 with about 100 users. Fresh install with no
customization except the following. We disabled the Default Domain Policy
and broke it up into smaller policies.

One of the policies is a Password Group Policy. The only thing this is
configured for is to handel the password configuration.

The time has just rolled arouond for users to change their password for the
first time. When they are prompted to change their password, it says that it
was changed successfully. The next day when they log on it will only accept
the old password. The password change they made the previous day did not
take effect.

Also, If I do a ctl+alt+del and pick change password no matter what I put in
for the new password it will tell me that the password has already been used.
This is the first time changing passwords on the new system, so I know that
the passwords are unique.

Any idea o what is messing up the passwords?
 
dray said:
Okay, we are running Server 2003 with about 100 users. Fresh
install with no
customization except the following. We disabled the Default
Domain Policy
and broke it up into smaller policies.

One of the policies is a Password Group Policy. The only
thing this is
configured for is to handel the password configuration.

The time has just rolled arouond for users to change their
password for the
first time. When they are prompted to change their password,
it says that it
was changed successfully. The next day when they log on it
will only accept
the old password. The password change they made the previous
day did not
take effect.

Also, If I do a ctl+alt+del and pick change password no matter
what I put in
for the new password it will tell me that the password has
already been used.
This is the first time changing passwords on the new system,
so I know that
the passwords are unique.

Any idea o what is messing up the passwords?
Hi,
Click to expand...

1 Can you explain more what you did and to which containers the
smaller GPOs have been linked?
2 Can you also explain why you did this?

Cheers
#JORGE#
 
The reason why I did this is because there are some executives in the
company, otherwise known as babies, that have a hard time remembering
passwords so they are set up with different rules. I apply the policies to
only the OU's that we want them to be applied to rather than the whole domain.

More info: Only 1 domain. Also, this morning, I reenabled the default
policy and deactivated the one I made. After I did this I went in and
changed my password. It told me that it was changed successfully, but when I
logged out and back in it told me the password was incorrect. I then
successfully logged in with the old password.

If I go into AD and change the password on a user and force them to change
it when they log in it will accept the new password that they enter. If they
then do a CTL+ALT+DEL and try to change it, it will say it changed, but not
work next log in.

As on now, the default policy is running on the 1 Domain and this is still
happening.

Thanks for the reply.
 
Not gonna work!

The password policy is set at the Domain level and at the Domain level only.
Any password policy set at the OU level will affect only those computer
account objects that are directly located in that OU and then affect only
those local user accounts, not the domain user account objects! Might be
time to go back to the drawing board!

To help those executives that have a hard time remembering the password you
might want to coach them on using password phrases. Use something like
'SeeSp0tRun!' for 'See Spot Run!'. They simply have to remember that they
need to capitalize the first letter of each word in the phrase and to use
the number '0' instead of the letter 'O' and to add some sort of special
character at the end - or at the front! I used to work in Beverly Hills in
the Entertainment Industry and I understand your pain....they do not like
this stuff and fight it tooth and nail. This sort of thing makes it easier.

You might also want to get the hot fix from Microsoft that gives you a more
descriptive error message ( assuming that you have enable password
complexity ). The generic error message is not very helpful. After
installing the hotfix the user is given an error message that spells out
exactly what he or she needs to include in the 'pass phrase' so that Windows
will accept it.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top