Win2003 password policy problem

  • Thread starter Thread starter Travis
  • Start date Start date
T

Travis

Hello,
I have just setup a new Win2003 server and configured
Active Directory etc. I am having a problem with the
password policy. I cant create users or change the admin
password to anything except the original default domain
policy's setings. (must have 3 different character types
and be longer than 6, etc etc.) I have gone into the
domain policy and tried to disable the password policy
but it doesnt seem to help. I have tried every possible
configuration that I can think of and it still requires a
complex password. I even tried disabling the domain
policy altogether and it didnt make any difference. Is
there some other issue that is causing the password
policy to remain in effect regardless of what I set it
to? Please advise.
Travis
 
Is Block Policy Inheritance checked on the Domain Controllers OU? When
changes to a domain account password are made they are made on a Domain
Controller. Since Password settings must be consistent Domain wide these
settings must be configured at the domain. In order for these domain
settings to be effective they must also be applied to the Domain
controllers. When a Domain password is changed the DC will adhere to the
last applied domain policy and any password settings therein. If Block
Policy is checked on the Domain Controllers OU and No Overide is not set on
the Domain Policy with the desired password settings the DC's will not
receive the password settings from the domain and the desired settings will
not be effective on Domain accounts.

For password settings that are configured in the domain to apply:

1.) Uncheck Block Policy Inheritance and let domain policy apply to domain
controllers
2.) Enable No Overide on the domain Policy so that it will apply to the DC's
even
though Block is checked.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Thanks for the tips. I did define a policy for an OU below
the default domain level and it did work. I should have
just done that to begin with instead of trying to change
the default domain policy. I will leave the default alone
from now on.
 
Back
Top