New Password Policy Doesn't Work!! 1

[NewNetworkAdmin]

Hi,

I recently applied a new password policy on our PDC - Windows 2000 SP4.

We have many different operating systems on our clients, from Windows 98 to NT 4 workstation, NT 4 Server, Windows 2000 and XP.

Part of the new policy is that users must keep their password for at least three days before they can change it again.

The problem is that I tried to change the password from an NT workstation and an NT server (a client one, not a domain controller). Both allowed me to change it. This should be disallowed by the policy.

It is possible that I have applied the policy incorrectly. I did have issues with it reverting back to the old policy. To combat this I changed the 'Default Domain Policy'. Is this the correct way of doing it? How can I make the workstations adhere to the new policy? Isn't it automatic?

Any help greatly appreciated.

 

[NewNetworkAdmin]

Sorry, forgot to say that we are using AD. All the AD servers have updated the changes in their settings (both local and domain)

 

[mrmoneymatters]

Try logging on to a w2k workstation and resetting your password. Then do the same on an nt4 box and let me know. We need to narrow it down, is it a problem affecting everyone or just old boxes.

 

[NewNetworkAdmin]

I tried changing my password on a w2k workstation. It allowed me to change my password. I then tried again on the w2k workstation and it didn't allow me to change it (the NT boxes let me change it as many times as I want).

I then went back to the NT Server machine and tried to change my password from there. It wouldn't let me change it.

It seems as though the NT boxes aren't updating AD. When this policy was initially implemented (Monday 13 Sept) I was prompted (like everyone else) to change my password because I had set every user's account to require a password change at next log on. I changed my password on the NT server PC. If NT is not updating AD, that would explain why I was able to change my password once on w2k.

But NT must be reading from AD, otherwise it would have let me change it again after using the w2k PC.

Do you have any suggestions as to how I can get the NT boxes to update AD?

Thanks for your help

 

[NewNetworkAdmin]

I've just noticed that the servers aren't all keeping the new settings. The one which is the domain controller shows the correct settings in 'Domain Security'.

There are two other servers with AD installed. When I look at the Domain Security setting from either of them, the settings have reverted to the old policy!! They were correct.

Has anyone got any ideas as to what's going on?

Thanks in advance

 

[AndyCLee]

I'm having the same problem.

I set our password policy on one server...look at the domain security policy from another and it's not the same!!

Did you work out what causes this NewNetworkAdmin?

 

[NewNetworkAdmin]

Not yet...will post here when I do...

 

[ITPangaeaArchitect]

you most likely have a replication error

check two workstations, one working and one non working (preferrably win2k or above)

run set in the command line and look for the logonserver value on both. see if they are different (they will be most likely)

most likely you have a replication issue if i read this right

 

[NewNetworkAdmin]

Thanks ADgod for your post. I have done what you suggested and run set. I looked at the logonserver value and, as you rightly predicted, the logon servers are different.

How do I ensure that replication is set up properly? As you can tell by my tag, I'm new to this. A simple explanation would be greatly appreciated

If you need any further information about our setup, then let me know.

Thanks

 

[NewNetworkAdmin]

ok, I solved it at last!!

I recently updated the servers with Windows 2000 Service Pack 4. When SP4 is applied, one of the 'fixes' is to the NTFRS - File Replication Service - "Windows 2000 domain controllers and servers use FRS to replicate system policies and login scripts"

The fix increases the size of the USN Journal - also known as the change-notification log (part of NTFRS) from 128MB to 512 MB. It just so happens that the servers have been partitioned in such a way that there wasn't 512 MB free on ANY of the system drives. Therefore when FRS starts it tries to increase the size of the USN Journal, it can't, so fails with even log errors.

To solve this I had to move the Journal to another drive. See this link...

http://support.microsoft.com/default.aspx?kbid=291823

I changed the frsRootPath as well as the frsStagingPath indicated in the document.

I hope this helps someone else...

 

[NewNetworkAdmin]

P.S....Thanks ADgod for pointing me in the right direction....have a star!!

 

[ITPangaeaArchitect]

that'll do it to ya

FRS in SP3 had some problems where the machines would go into JRNL_WRAP quite often because of the staging file being 128MB only

SP4 raised it to 512MB to help with this and did alleviate *SOME* of the JRNL_WRAP issues

there are also FRS fixes on top of SP4 that you may want to look in to

can't remember the articles off the top of my head....but they are out there...its a hotfix so you will need to call MS for it, but its a free call

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there