Password Policy

[Bhavin78]

I just installed windows 2003 server (AD). I am trying to create a user with blank password. It gives me error, password does not meet complexity requirement. I chekced the default domain policy/security/password policy. password policy is not enabled. so, why do I get the error for blank password.

 

[mlichstein]

Try disabling the password complexity setting, rather than leaving it at not defined.

 

[Bhavin78]

It's already disabled, still its not accepting blank password. I tried all possible option, but still something is wrong.

 

[t4z]

Hey Bhavin,

Did you manage to resolve this issue as I am having the exact same problem. I have disbled the setting on the default domain policy. And on the GPO I have specified for my own OU, I have checked blocked inheritance just in case, and disabled the password settings again. Still no LUCK!!! Any help would be great.

Cheers
T

 

[serhino320]

It seems to me that by disabling the password complexity and/or minimum password length in the Default Domain Policy, that should do it. I went into Active Directory Users and Computers and changed the GP settings from there. I also tried changing the Default Domain Controller Policy. It did not work. When I closed down Active Directory Users and Computers and looked at the individual security policies via the GPO consoles in Administartive Tools all changes were definitley verified. It was not until I went into the Active Directory Sites and Services and added the existing Default Domain Policy (that had the disabled settings) to the Default-First-Site-Name Group Policy that I was able to add users with "simple" password requirements. Why I needed to add the GP at this level is not clear to me. All I know is I can now add users through Active Directory Users and Computers. Can anyone shed some insight on how the Password Policy structure works and why I need to have the Policy sitting at the Site level? Thanks

 

[Bhavin78]

edit local computer group policy. type gpedit.msc in run command. and you will that there is a policy defined for password. make the necessary changes. this will take care of your problem

 

[Wishdiak]

Can anyone shed some insight on how the Password Policy structure works and why I need to have the Policy setting at the Site level?

Actually, the password policy needs to be set at the domain level, or so Microsoft keeps saying. There can be only one such policy for all sites within the domain. If different password requirements are needed for different sites, they want you to set up child domains.

Wishdiak
A+, Network+, MCSA 2003 certified

http://www.wishdiak.com

 

[serhino320]

It looks like the Site level Policy is tied to the Local Group Policy. I had the Local GP set to enabled for password complexity. I went into the GP for the Default-First-Site-Name and changed the policy setting to disabled. After a minute or so the Local GP setting was changed to disabled. If I now try and change the policy setting in Local GP I cannot. The setting is greyed out. Looks like Site level has priority if there is a GPO set there.

 

[NickFerrar]

The order of application of GPO's is: Local then Site then Domain then OU, so whereas Site will override Local (if there's a conflict in the GPOs) it shouldn't override Domain. Not sure of the reason for changing default domain policy not working though.

 

[Wishdiak]

NickFerrar,

Sure, that works for GPO's. Password policy is a domain policy, and while it can be linked to a site or OU, there can be only one password policy per domain.

Microsoft insists that if multiple password policies are required in an enterprise, then child domains should be created so that multiple password policies can be applied at the domain level.


Wishdiak
A+, Network+, MCSA 2003 certified

http://www.wishdiak.com