Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Default Domain Policy BIG PROBLEM

Status
Not open for further replies.

Moscerino

Technical User
Nov 7, 2001
30
RU
I have got a problem with my domain controllers (Active
Directory). I set up a Domain Security Policy and set the
Password Policy to Minimum Length 8, Meet complexity
reqs, History 30 etc.
When I now try to create the users without passwords it
obviously tells me go away.


The error message is

Windows cannot properly create this user object.The most
likely cause is that the current domain or group policy
requires a password. To return to the wizard and enter a
password click Back

I have disabled the policy and even removed it from my
Organizational Unit but still when I try to create a
password it tells me the same thing. When I meet the
requirements it creates the password.

I've imported also the security template basicdc.inf, from security settings context menu, I can see NOT DEFINED in all the password policies, but I cannot create users with blank passwords!!!

I need to disable this policy so that I can set up any
password even a blank password.

PLEASE HELP ME!!

Thanks a lot

Mosce


 
Just a guess here, but try setting up and enabling a policy enforcing no-minimum-length passwords etc, effectively forcing a lack of policy?
-Steve
 
excuse me, what do you mean...??

I'm not so expert..

 
Steve, thank you very much

following your suggestion I've resolved my problem.. I've set no minimum leght pwd and now I can set users with blank passwd...
but is strange...

TODAY I'VE LEARNT THE FIRST ACTIVE DIRECTORY RULE:

NEVER TOUCH DEFAULT DOMAIN POLICY
FORGET IT.
 
Glad to help. I knew that policies in NT4 were a nightmare because if you set them and removed them, they wouldn't "spring back", the registry mods would stay unless acted upon by a different policy. I had thought that AD/Win2k policies had fixed that - remove the policy, and it returns to default - but clearly I'm going to have to read over some documentation if my suggestion worked.
-Steve
 
Yes, policies aimed at Computer accounts "tattoo" machine registries and can only be reversed by affecting a different value for the policy, disabling the policy, or manual registry intervetion. The problem (as you've discovered) is that many of these computer based policies don't have a "disable" option, rather you can only define them or leave them alone.....
 
So the place to be is the security mmc, correct? I've never really worked with policies, but I'm going to need to start working with exact same issue. Currently we give users passwords, but boss wants to use complexity and give the users the ability to set there passwords themselves so we're out of the password business. Thanks. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
[americanflag]

"The time for action is now. It's never too late to do something."
Antoine de Saint-Exupery (1900-1944); French aviator and writer.

 
Glen, I suggest you to plan before doing any change to the default domain policy, it's a risk.

But I know you are expert enough also without my advices...

Bye, Mosce
 
Experts are only experts in certain things. When it comes to this, I'm a novice and not afraid to admit it. I'll take all the help I can get. Thanks.


[hammer] Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
[americanflag]

"How many things, too, are looked upon as quite impossible until they have been actually effected?."
Pliny the Elder, Caius Plinius Secundus(c.23-79 A.D.); Roman writer.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top