domain password policy not working!!!!

[nath01]

I have created a password policy on my 2k3 domain, this is set up in default domain security policy (also can see the same settings in the GP)

It is set to 8 letters, strong passwords and rembers the last 5 passwords.

However any user can use any password as long as it is 5 letters or more (Even “hello” works!!!)

This is very strange not sure whats causing this I have read all Microsoft documentation and the set up looks fine

thanks for any help

 

[Wishdiak]

nath01,

The Windows 2003 default Domain password policy has strong password requirements. By default, passwords
. Must contain at least 6 characters
. Must not contain "Administrator" or "Admin"
. Must contain characters from three of the following categories:
Uppercase letters (A, B, C, and so on)
Lowercase letters (a, b, c, and so on)
Numbers (0, 1, 2, and so on)
Non-alphanumeric characters (#, &, ~, and so on)

If you've made changes to the password policy at the domain level that haven't been replicated to the client machines, log onto a client machine and run:

gpupdate /force

This should apply the changes to the client machine.

Wishdiak
A+, Network+, Security+, MCSA: Security 2003

http://www.wishdiak.com

 

[nath01]

they policy was set up weeks ago and has been appliyed to every machine. useing gpresult it shows it has been updated.

This is a very strange issue. everythings there in place, but it just dont work!!!!

 

[Roeee]

I had a similar problem with a GPO....it turned out that I had a corrupt default domain policy. When I resolved this problem the GPO started to work.

It took some time to establish the problem because I believed the policy was not applying for a number of reasons apart from the correct one. As other policies worked fine including new ones, i thought the GPO itself was at fault.

I picked up the problem using GPMC.........Hope this is of some use

 

[nath01]

how did you pick this up via GPMC i have had a look and cant see no diagnostic settings.

cheers.

 

[Roeee]

When I viewed all the policies, I selected the Default Domain Policy and the GPMC reported the corruption in the right hand pane.

If memory serves me correctly the corruption was reported in the standard User and Computers MMC at the root of the domain.

 

[adcfaq]

i guess u need to reset default domain policy, some adm or template files might be corrupted.

-----
Directory Services/Exchange Consultant

 

[nath01]

have reset the policy back to standard. still no joy.

im not sure what else to try!

 

[adcfaq]

how did u reset the default domain policy?

-----
Directory Services/Exchange Consultant

 

[nath01]

dcgpofix from command line (on DC with domain admin rights)

 

[adcfaq]

ok, that's correct tool i can think of.
did ur users logon with cache mode? by not logging on with DC auenticated, they can't get new policies.

-----
Directory Services/Exchange Consultant

 

[alwayslearnin]

nath01:

have you changed the security filtering? is it still authenticated users?

 

[tubbaguts]

Try to creta a new GPO at the root of the domain with the settings you want. Enable it and disable the non-working policy to see if your problem goes away.

Drink deep from the pool of knowledge.