2003 Domain Policy problem - Password Complexity wont apply

[captaincrunch00]

Hi there,

I've read about 20 google results of people trying to take off password complexity, and the way they've all done it is change it in the LOCAL security policy on the domain controller.
The issue there being that they are trying to get rid of it, and I am trying to enable it. I should be able to do what they do, just backwards...

I have it enabled on my domain policy, and the option to change it is grayed out on the local domain policy. I want it to apply, I've waited 3 days for it to filter down or whatever but it doesnt work. I've done gpupdate /force, and that didnt help either.

Any other ideas on how to fix this thing?


Here's a screenshot so you can see it grayed out on the local, and enabled on the domain policy.

Also, here is a GPresult from my workstation:
COMPUTER SETTINGS
------------------
CN=Comp1,OU=Computers,OU=Goon,OU=Goon2,DC=DOMAIN,DC=local
Last time Group Policy was applied: 5/3/2007 at 9:36:53 AM
Group Policy was applied from: SERVER
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Software Update
Folder Redirection
Disable Offline Files
Default Domain Policy


And finally, an RSoP screenshot showing that the policy is enabled and trickled down to my workstation just fine. Why can I still make my password the word "passwords" with no complexity and have it work?

 

[captaincrunch00]

I did a test with me in my own OU, blocked inheritance, created a new GPO that is just a password complexity test, linked it to the OU, and made sure it was the only one being applied to my computer. Nothing works.

This picture shows the password complex test GPO that I made. It shows that it is working on my laptop supposedly, but it's not really working.

There were no other changes to the GPO than the password stuff you saw above.

This was the only policy applied to my computer as shown in this GPresult stuff. I had a nice pretty picture showing it was the only thing applied, but I lost it, so here's some text.

COMPUTER SETTINGS
------------------
CN=PCDEPT2,OU=Test,OU=Yep,DC=XXX,DC=local
Last time Group Policy was applied: 5/3/2007 at 2:01:46 PM
Group Policy was applied from:
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Password Complex Test



Who else thinks Microsoft will still charge me $250 if I call them and prove that their software isnt working?

 

[sutors]

The screenshots are all correct and make sense.

1. You do not change password policies on domain controller's local policy. It must be done at domain level.

2. You should enable password policy at the domain level. Prefferably using default domain policy. If you are using your own policy at domain level, make sure that is is set as to no overwrite and that is set to apply last. (don't ask me why, there are technical reazons behind it)

3. The reazon that your option in local security settings is greyed out is because it is being overwritten by domain policy. (again, by design)

4. If you set a password policy on a OU, you will see it that it applies on computer accounts, hence, your result screenshot of RSOP. That's correct.
However, the actual password change is being done by domain controller and not the client machine itself, so run RSOP on your domain controller to see if it matches your settings. Also, make sure that you do not have blocked inheretance on your domain controllers OU.

i hope this helps.

 

[captaincrunch00]

That does help.

Now I found out I have a corrupt secedit.sdb database (C:\windows\security\database folder) and I cant create a new database becuase I keep getting "Access denied" errors.

Microsofts KB says I can "safely ignore" the Access denied message, but if I ignore it I dont have any secedit file.

Ideas?