|
Question : Domain Password policy did not apply on workstation
|
|
Hi All,
I have made some changes to the Default Domain Policy. I have change the password policy for the min password from 5 to 24 and password complexity from disable to enable. When I try to change the password at the workstation, it promt me the old min password length of 5 and I can change the password without the complexity. When i check the local policy, it shows that the effective settings was the min password 24 and password complexity enable. I also did the gpresult and it shows me that the Default Domain Policay was applied.
Pri DC - Win2k Server Sec Dc - Win2k Server Workstations - Win2k Pro You expert comments is greatly needed.
|
|
Answer : Domain Password policy did not apply on workstation
|
|
Sorry, but I see the need to summarize the facts that I already stated, and some more for clarity: 1. There can only be one password policy per domain. 2. The (domain) password policy has to be linked to the domain root. 3. The password policy has to be applied to the domain controllers. 4. The password policy does not require a reboot of the domain controllers. 5. The default interval between re-applying the GPOs to a DC is five minutes, so even without gpupdate, a changed password policy will be in effect at the latest after this time. 6. The client on which the password is changed is of *absolutely* *no* *importance*. Reboot, gpresult or gpupdate of a client has *no* *effect* *whatsoever* on whether the domain password is accepted or not. 7. Password policies applied to domain members (that you see when running gpresult on a client) only apply to *local* *accounts* on those domain members, *not* to domain accounts.
So make sure that the points 1-3 are covered. If you've changed the Default Domain Policy, and the password policy is still not applied, it can only be that * the default domain policy has been deactivated or is not linked to the domain root * inheritance of the default domain policy is blocked for the domain controllers OU, or the application of the default domain policy is prevented by security settings in the GPO * another GPO with a higher priority is linked to the domain root and has password policies defined * the application of GPOs to the domain controllers is prevented by general problems
So to troubleshoot, again my suggestion from above: create a new GPO named Password Policy or whatever, linked directly to the domain root (NOT the DC OU!), make sure it has the highest priority of the GPOs linked to the domain root, and configure the password policy there. If you're impatient, run gpupdate on the *domain* *controllers* (again: don't bother with the client), then try the password change again.
|
|
|
|