How to remove the effect of a policy from w2k Domain Controller

[DrWill]

Hi;
I’m running Win2k server and win2k pro for workstations. Last week I accidentally imported a policy on the domain Controler and an hour later I realized that I couldn’t change any passwords or add new user. The error message is:

Window scan not complete the password change because:
The password does not meet the password policy requirements. Check the minimum password length, Password complexity, and password history requirements.

I checked all that, changed the requirements to 0 on Password Policy; I removed the policy and put new one that I edited on the local server, Domain and Domain controller and the problem still there. Clearly there is some thing that I’m missing.

How can I remove the effect of the policy from the DC?
I appreciate all the help I can get.

 

[ErikButler]

password policy is usually set in the Default Domain policy. I would check there first and also

what was the policy that you imported that might help to establish where the problem lies Thanks
Erik Butler
2000 MCSE
erikbutler@centurytel.net

 

[DrWill]

I checked Default Domain policy and it's set to:
Enforce Password History = 0
Maximum Password Age = 42
Minimum Password Age = 0
Minimum Password Length = 0
Complexity Requirements Disable
Reverse encryption Disable

The original policy when the problem started was SECUREWS.INF

Thanks Erik

 

[ErikButler]

you can reimport basicws.inf and it will give you the default settings and lower security standards back Thanks
Erik Butler
2000 MCSE
erikbutler@centurytel.net

 

[DrWill]

I tried that with no success, do you think I need to reboot the server for the new setting to take effect?

 

[ErikButler]

It would not hurt to Thanks
Erik Butler
2000 MCSE
erikbutler@centurytel.net

 

[DrWill]

Hi Erik;

I tried that and it didn't work, so I removed all policies and in cmd I checked the NTE ACCOUNTS and the length was set to 8, I changed that to 0 and it work, the only problem now is the Complexity of the password, I don't know how to remove or change it.

Any suggestions?

Thanks

 

[mrfarid]

I am having this same exact problem, wondering if you ever came up with a fix for it

thanks

 

[markdmac]

SOunds like you have this stuck in another policy by some chance. You should be able to override this by first settign the Complexity Requirement to Disabled. Then set the policy to No Override. That way another policy can't change the setting back.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[markdmac]

By the way, why are you applying the SecureWS template which is the workstation template?

You should be applying the secureDC to your server.



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bradx]

I have the same type of problem. I just found out that one our Account Operators applied a security template called "DC security." I found this out because all of my users were complaining that they could not log into our Citrix Servers. I traced it back to this template. Does anyone know how I can reverse the effects of the "DC security" template?

 

[markdmac]

You can't back out changes from the application of a template, but you can wipe the secedit database and apply a new template.

This is accomplished via MMC Security Configuration and Analysis.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[DrWill]

Hi All. You know, I tried every tip on the web and it didn’t seem to have any effect on the policy, also had a problem with Trust Relation Ship so I decided to upgrade my servers to Win2003 and no problems ever since. So I think it’s a glitch with win2k.