Discussion:
Minimum Password length GPO setting won't take effect
(too old to reply)
Rob
2006-09-12 15:33:01 UTC
Permalink
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?

Thanks.
Harj
2006-09-12 16:25:17 UTC
Permalink
Hi,

Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Rob
2006-09-12 18:15:02 UTC
Permalink
The tough part with this issue is that the setting shows that it is getting
applied. As I said, I see that via the Group Policy Results tool. It just
doesn't seem to be taking effect.

I do not have password settings configured in the Default Domain Policy.
I do not have any other domain level GPOs with password policy settings that
might be overriding this.
There are no password policy settings defined in the Default Domain
Controller Policy.
I don't think it is a replication issue because according to Group Policy
Results, the correct settings from the correct GPO are being applied. I did
look at the DC logs and I see no replication errors.
Post by Harj
Hi,
Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Vikram Thakur
2006-09-14 14:42:02 UTC
Permalink
Rob,
If the accounts are residing in the AD then they are created/managed on the
Domain Controllers. For this reason the Policy setting you make should be
applied to the Domain Controller. Make the settings at the Domain level (in
the Default Domain Policy or a new one at this level) and see if that fixes
the problem.

If the accounts are on stand-alone computers then make the changes in their
local policy.

- Vikram
Post by Rob
The tough part with this issue is that the setting shows that it is getting
applied. As I said, I see that via the Group Policy Results tool. It just
doesn't seem to be taking effect.
I do not have password settings configured in the Default Domain Policy.
I do not have any other domain level GPOs with password policy settings that
might be overriding this.
There are no password policy settings defined in the Default Domain
Controller Policy.
I don't think it is a replication issue because according to Group Policy
Results, the correct settings from the correct GPO are being applied. I did
look at the DC logs and I see no replication errors.
Post by Harj
Hi,
Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Rob
2006-09-14 15:31:01 UTC
Permalink
Ah ha! That may explain this. I have a Block Inheritance filter in place on
my Domain Controllers OU. Would you recommend I link my existing password
policy to the Domain Cotrollers OU to get around the block? I have the block
in place because I have other policies that I don't want applied to my DCs.

Thanks.
Post by Vikram Thakur
Rob,
If the accounts are residing in the AD then they are created/managed on the
Domain Controllers. For this reason the Policy setting you make should be
applied to the Domain Controller. Make the settings at the Domain level (in
the Default Domain Policy or a new one at this level) and see if that fixes
the problem.
If the accounts are on stand-alone computers then make the changes in their
local policy.
- Vikram
Post by Rob
The tough part with this issue is that the setting shows that it is getting
applied. As I said, I see that via the Group Policy Results tool. It just
doesn't seem to be taking effect.
I do not have password settings configured in the Default Domain Policy.
I do not have any other domain level GPOs with password policy settings that
might be overriding this.
There are no password policy settings defined in the Default Domain
Controller Policy.
I don't think it is a replication issue because according to Group Policy
Results, the correct settings from the correct GPO are being applied. I did
look at the DC logs and I see no replication errors.
Post by Harj
Hi,
Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Vikram Thakur
2006-09-14 15:40:03 UTC
Permalink
That is definitely one option. It will work just fine.
It would be recommended (by me) to create an exclusive GPO for this
container so that any changes you make to the pre-existing Password Policy
(for situations in the future) will not propagate unintentionally to the DCs.

Cheers
- V
Post by Rob
Ah ha! That may explain this. I have a Block Inheritance filter in place on
my Domain Controllers OU. Would you recommend I link my existing password
policy to the Domain Cotrollers OU to get around the block? I have the block
in place because I have other policies that I don't want applied to my DCs.
Thanks.
Post by Vikram Thakur
Rob,
If the accounts are residing in the AD then they are created/managed on the
Domain Controllers. For this reason the Policy setting you make should be
applied to the Domain Controller. Make the settings at the Domain level (in
the Default Domain Policy or a new one at this level) and see if that fixes
the problem.
If the accounts are on stand-alone computers then make the changes in their
local policy.
- Vikram
Post by Rob
The tough part with this issue is that the setting shows that it is getting
applied. As I said, I see that via the Group Policy Results tool. It just
doesn't seem to be taking effect.
I do not have password settings configured in the Default Domain Policy.
I do not have any other domain level GPOs with password policy settings that
might be overriding this.
There are no password policy settings defined in the Default Domain
Controller Policy.
I don't think it is a replication issue because according to Group Policy
Results, the correct settings from the correct GPO are being applied. I did
look at the DC logs and I see no replication errors.
Post by Harj
Hi,
Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Rob
2006-09-14 16:03:02 UTC
Permalink
That sounds like a good recommendation.
I am a little unclear then on what settings need to be in the GPO that is
linked to my DC OU, and what settings need to be in the GPO linked to the
root of my domain? Do these GPOs need to have the same Account Policies
settings? If not, which settings go in which GPO? I am asking because I
would like to enable more settings like Password history, password age,
lockout duration, etc.

Thanks again!

-Rob
Post by Vikram Thakur
That is definitely one option. It will work just fine.
It would be recommended (by me) to create an exclusive GPO for this
container so that any changes you make to the pre-existing Password Policy
(for situations in the future) will not propagate unintentionally to the DCs.
Cheers
- V
Post by Rob
Ah ha! That may explain this. I have a Block Inheritance filter in place on
my Domain Controllers OU. Would you recommend I link my existing password
policy to the Domain Cotrollers OU to get around the block? I have the block
in place because I have other policies that I don't want applied to my DCs.
Thanks.
Post by Vikram Thakur
Rob,
If the accounts are residing in the AD then they are created/managed on the
Domain Controllers. For this reason the Policy setting you make should be
applied to the Domain Controller. Make the settings at the Domain level (in
the Default Domain Policy or a new one at this level) and see if that fixes
the problem.
If the accounts are on stand-alone computers then make the changes in their
local policy.
- Vikram
Post by Rob
The tough part with this issue is that the setting shows that it is getting
applied. As I said, I see that via the Group Policy Results tool. It just
doesn't seem to be taking effect.
I do not have password settings configured in the Default Domain Policy.
I do not have any other domain level GPOs with password policy settings that
might be overriding this.
There are no password policy settings defined in the Default Domain
Controller Policy.
I don't think it is a replication issue because according to Group Policy
Results, the correct settings from the correct GPO are being applied. I did
look at the DC logs and I see no replication errors.
Post by Harj
Hi,
Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Vikram Thakur
2006-09-14 20:21:02 UTC
Permalink
Make all settings related to Accounts in the DC policy. In your setup where
you have the Domain Controllers OU Blocking Inheritance there is no purpose
of password settings in other policies. They can be there without any usage.
All the settings you mention in your posting are relevant to DCs only as that
is where the accounts are.

- V
Post by Rob
That sounds like a good recommendation.
I am a little unclear then on what settings need to be in the GPO that is
linked to my DC OU, and what settings need to be in the GPO linked to the
root of my domain? Do these GPOs need to have the same Account Policies
settings? If not, which settings go in which GPO? I am asking because I
would like to enable more settings like Password history, password age,
lockout duration, etc.
Thanks again!
-Rob
Post by Vikram Thakur
That is definitely one option. It will work just fine.
It would be recommended (by me) to create an exclusive GPO for this
container so that any changes you make to the pre-existing Password Policy
(for situations in the future) will not propagate unintentionally to the DCs.
Cheers
- V
Post by Rob
Ah ha! That may explain this. I have a Block Inheritance filter in place on
my Domain Controllers OU. Would you recommend I link my existing password
policy to the Domain Cotrollers OU to get around the block? I have the block
in place because I have other policies that I don't want applied to my DCs.
Thanks.
Post by Vikram Thakur
Rob,
If the accounts are residing in the AD then they are created/managed on the
Domain Controllers. For this reason the Policy setting you make should be
applied to the Domain Controller. Make the settings at the Domain level (in
the Default Domain Policy or a new one at this level) and see if that fixes
the problem.
If the accounts are on stand-alone computers then make the changes in their
local policy.
- Vikram
Post by Rob
The tough part with this issue is that the setting shows that it is getting
applied. As I said, I see that via the Group Policy Results tool. It just
doesn't seem to be taking effect.
I do not have password settings configured in the Default Domain Policy.
I do not have any other domain level GPOs with password policy settings that
might be overriding this.
There are no password policy settings defined in the Default Domain
Controller Policy.
I don't think it is a replication issue because according to Group Policy
Results, the correct settings from the correct GPO are being applied. I did
look at the DC logs and I see no replication errors.
Post by Harj
Hi,
Do you have this configured within your default domain policy?
Is there any other password settings within any other domain level
based GPOs?
Also, check the default domain controllers policy to see if there are
any settings there
Have we verified replication to all DC's?
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Post by Rob
I have a Windows 2003 AD and I am trying to force a minimum of 8 character
passwords at the next password change via a GPO named Security. Security is
linked to the domain and it is #1 in the link order. I am using an XP client
as my test system. I can see via Group Policy Results that this GPO and the
8 character limit are being applied to this PC but the user is still able to
change the password to something less than 8 characters. Any ideas on what I
missed?
Thanks.
Loading...