Default Domain Policy BIG PROBLEM

[Moscerino]

I have got a problem with my domain controllers (Active
Directory). I set up a Domain Security Policy and set the
Password Policy to Minimum Length 8, Meet complexity
reqs, History 30 etc.
When I now try to create the users without passwords it
obviously tells me go away.


The error message is

Windows cannot properly create this user object.The most
likely cause is that the current domain or group policy
requires a password. To return to the wizard and enter a
password click Back

I have disabled the policy and even removed it from my
Organizational Unit but still when I try to create a
password it tells me the same thing. When I meet the
requirements it creates the password.

I've imported also the security template basicdc.inf, from security settings context menu, I can see NOT DEFINED in all the password policies, but I cannot create users with blank passwords!!!

I need to disable this policy so that I can set up any
password even a blank password.

PLEASE HELP ME!!

Thanks a lot

Mosce

 

[SteveTheGeek]

Just a guess here, but try setting up and enabling a policy enforcing no-minimum-length passwords etc, effectively forcing a lack of policy?
-Steve

 

[Moscerino]

excuse me, what do you mean...??

I'm not so expert..

 

[Moscerino]

Steve, thank you very much

following your suggestion I've resolved my problem.. I've set no minimum leght pwd and now I can set users with blank passwd...
but is strange...

TODAY I'VE LEARNT THE FIRST ACTIVE DIRECTORY RULE:

NEVER TOUCH DEFAULT DOMAIN POLICY
FORGET IT.

 

[SteveTheGeek]

Glad to help. I knew that policies in NT4 were a nightmare because if you set them and removed them, they wouldn't "spring back", the registry mods would stay unless acted upon by a different policy. I had thought that AD/Win2k policies had fixed that - remove the policy, and it returns to default - but clearly I'm going to have to read over some documentation if my suggestion worked.
-Steve

 

[brontosaurus]

Yes, policies aimed at Computer accounts "tattoo" machine registries and can only be reversed by affecting a different value for the policy, disabling the policy, or manual registry intervetion. The problem (as you've discovered) is that many of these computer based policies don't have a "disable" option, rather you can only define them or leave them alone.....

 

[GlenJohnson]

So the place to be is the security mmc, correct? I've never really worked with policies, but I'm going to need to start working with exact same issue. Currently we give users passwords, but boss wants to use complexity and give the users the ability to set there passwords themselves so we're out of the password business. Thanks. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"The time for action is now. It's never too late to do something."
Antoine de Saint-Exupery (1900-1944); French aviator and writer.

 

[Moscerino]

Glen, I suggest you to plan before doing any change to the default domain policy, it's a risk.

But I know you are expert enough also without my advices...

Bye, Mosce

 

[GlenJohnson]

Experts are only experts in certain things. When it comes to this, I'm a novice and not afraid to admit it. I'll take all the help I can get. Thanks.


Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"How many things, too, are looked upon as quite impossible until they have been actually effected?."
Pliny the Elder, Caius Plinius Secundus(c.23-79 A.D.); Roman writer.