Group Policy

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been trying to set up the Password Policy for a few days now, but I
just can’t get it to work. I’ll just explain what I’m doing and maybe someone
can give me some pointers.

When I right click on our Domain in AD Users and Computers, Click Properties
and then select the Group Policy tab, I only have Default Domain Policy.

First of all, should I be able to change settings in this Policy, like when
I edit it, go into Computer Configuration, Windows Setting, Security
Settings. Should I find the Account Policies – Password Policy in there or is
the Default Domain Policy not for these types of things. I can also not
expand the Administrative Templates. I am thinking that b/c this is a Default
Policy, I am not able to change it. Or could it be that I do not have the
permissions to change it.

Secondly, in the Group Policy tab, I click New and create a new Policy
called Password Policy. I edit it and go to Computer Configuration, Windows
Settings, Security Settings, Account Policies and in Password Policy I change
all the Setting to what I want. When I go to a test user created in the Users
OU, I set the Account to change Password at next logon. However, when I log
in as this User, I can change the Password to 123 or anything else. I also
try and change the Password for a user I created in a OU I created manually
but still no Policy enforcement.

This whole thing is driving me crazy. If anyone could just help me and tell
me where to set this Password Policy, and in what way.

Any help would be much Appreciated.

Thanks
7 answers Last reply
More about group policy
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You should be able to modify Default domain policy...
    And you should be able to find things described in that policy
    (security, admin templates etc.)

    I have read about tool Dcgpofix.exe that restores Default Domain policy
    back to it's original state, maybe that could help you. I have never
    personally tested it, so better try it in your test environment before
    applying it into your "real" domain.

    And about your password policy, have you looked "security" -tab? There
    should be "read" and "apply group policy" rights for group
    "authenticated users"

    Hope this helps.
    J.M.N


    --
    J.M.N
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1271781.html
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You should be able to modify Default domain policy...
    And you should be able to find things described in that policy
    (security, admin templates etc.)

    I have read about tool Dcgpofix.exe that restores Default Domain policy
    back to it's original state, maybe that could help you. I have never
    personally tested it, so better try it in your test environment before
    applying it into your "real" domain.

    And about your password policy, have you looked "security" -tab? There
    should be "read" and "apply group policy" rights for group
    "authenticated users"

    Hope this helps.
    J.M.N


    --
    J.M.N
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1271781.html
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    The recreateDefPol.exe file work perfectly. Just extracted it to a folder on
    the DC and ran the file. Had to log out and back in for it to take effect and
    fixed everthing. Did not have a test domain but now you can know it works OK.
    Thanks for the help.


    "J.M.N" wrote:

    >
    > You should be able to modify Default domain policy...
    > And you should be able to find things described in that policy
    > (security, admin templates etc.)
    >
    > I have read about tool Dcgpofix.exe that restores Default Domain policy
    > back to it's original state, maybe that could help you. I have never
    > personally tested it, so better try it in your test environment before
    > applying it into your "real" domain.
    >
    > And about your password policy, have you looked "security" -tab? There
    > should be "read" and "apply group policy" rights for group
    > "authenticated users"
    >
    > Hope this helps.
    > J.M.N
    >
    >
    >
    > --
    > J.M.N
    > ------------------------------------------------------------------------
    > Posted via http://www.mcse.ms
    > ------------------------------------------------------------------------
    > View this thread: http://www.mcse.ms/message1271781.html
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You where in the right place, its in the "Default Domain Policy" > "Computer
    Configuration" > "Windows Settings" > "Security Settings" > "Account
    Policies" > "Password Policies"
    You should be able to change it if you are using the administrator account.

    You can change the password settings in the "Default Domain Policy" or even
    create a new GPO, however, note that if you create a new one, it must be
    linked to the domain (not to OUs or any other type of containers), and it
    must be on the top of the list of the GPO's linked to the domain (there as
    special cases but it's better that way).

    Another thing is that you must refresh the computer policy on all clients
    for the policy to take effect, you can either restart all machines in the
    domain or wait for about 90mins or run "Secedit /refreshpolicy
    machine_policy /enforce" from Windows2000 machines and "gpupdate
    /target:computer /force" from Windows XP and Windows 2003 servers

    --
    Yours truly,
    Mohammed A. Raslan
    Systems Engineer / Consultant
    MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
    Mobile: +20 (12) 36 26 112 / +965 978 1969
    E-Mail: m_raslan@link.net.removethis


    "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
    > I have been trying to set up the Password Policy for a few days now, but I
    > just can’t get it to work. I’ll just explain what I’m doing and maybe
    someone
    > can give me some pointers.
    >
    > When I right click on our Domain in AD Users and Computers, Click
    Properties
    > and then select the Group Policy tab, I only have Default Domain Policy.
    >
    > First of all, should I be able to change settings in this Policy, like
    when
    > I edit it, go into Computer Configuration, Windows Setting, Security
    > Settings. Should I find the Account Policies – Password Policy in there or
    is
    > the Default Domain Policy not for these types of things. I can also not
    > expand the Administrative Templates. I am thinking that b/c this is a
    Default
    > Policy, I am not able to change it. Or could it be that I do not have the
    > permissions to change it.
    >
    > Secondly, in the Group Policy tab, I click New and create a new Policy
    > called Password Policy. I edit it and go to Computer Configuration,
    Windows
    > Settings, Security Settings, Account Policies and in Password Policy I
    change
    > all the Setting to what I want. When I go to a test user created in the
    Users
    > OU, I set the Account to change Password at next logon. However, when I
    log
    > in as this User, I can change the Password to 123 or anything else. I also
    > try and change the Password for a user I created in a OU I created
    manually
    > but still no Policy enforcement.
    >
    > This whole thing is driving me crazy. If anyone could just help me and
    tell
    > me where to set this Password Policy, and in what way.
    >
    > Any help would be much Appreciated.
    >
    > Thanks
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hey Mohammed

    Thanks for the feedback.

    I logged on to the DC as the Domain Administrator and when I go to AD Users
    And Computers, Domain Properties, Group Policy, Default Domain Policy,
    Computer Configuration, Windows Setting, Security Settings, I only have
    Public Key Policies and IP Security Policies on AD. There is no Account
    Policies, Local Policies etc.

    You said, if I create a new GPO I should link it to the Domain. How do I do
    this, I thought if it is created in the same place as the Deafault Domain
    Policy it should go out to the whole Domain.

    I also did wait for more than 90 minutes but nothing happened.

    If I go to the Default Domain Policy Properties, under Security I have my
    name with Full Control. Under Links, if I click Find Now, it only shows my
    Domain.


    "Mohammed A. Raslan" wrote:

    > You where in the right place, its in the "Default Domain Policy" > "Computer
    > Configuration" > "Windows Settings" > "Security Settings" > "Account
    > Policies" > "Password Policies"
    > You should be able to change it if you are using the administrator account.
    >
    > You can change the password settings in the "Default Domain Policy" or even
    > create a new GPO, however, note that if you create a new one, it must be
    > linked to the domain (not to OUs or any other type of containers), and it
    > must be on the top of the list of the GPO's linked to the domain (there as
    > special cases but it's better that way).
    >
    > Another thing is that you must refresh the computer policy on all clients
    > for the policy to take effect, you can either restart all machines in the
    > domain or wait for about 90mins or run "Secedit /refreshpolicy
    > machine_policy /enforce" from Windows2000 machines and "gpupdate
    > /target:computer /force" from Windows XP and Windows 2003 servers
    >
    > --
    > Yours truly,
    > Mohammed A. Raslan
    > Systems Engineer / Consultant
    > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
    > Mobile: +20 (12) 36 26 112 / +965 978 1969
    > E-Mail: m_raslan@link.net.removethis
    >
    >
    > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    > news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
    > > I have been trying to set up the Password Policy for a few days now, but I
    > > just can’t get it to work. I’ll just explain what I’m doing and maybe
    > someone
    > > can give me some pointers.
    > >
    > > When I right click on our Domain in AD Users and Computers, Click
    > Properties
    > > and then select the Group Policy tab, I only have Default Domain Policy.
    > >
    > > First of all, should I be able to change settings in this Policy, like
    > when
    > > I edit it, go into Computer Configuration, Windows Setting, Security
    > > Settings. Should I find the Account Policies – Password Policy in there or
    > is
    > > the Default Domain Policy not for these types of things. I can also not
    > > expand the Administrative Templates. I am thinking that b/c this is a
    > Default
    > > Policy, I am not able to change it. Or could it be that I do not have the
    > > permissions to change it.
    > >
    > > Secondly, in the Group Policy tab, I click New and create a new Policy
    > > called Password Policy. I edit it and go to Computer Configuration,
    > Windows
    > > Settings, Security Settings, Account Policies and in Password Policy I
    > change
    > > all the Setting to what I want. When I go to a test user created in the
    > Users
    > > OU, I set the Account to change Password at next logon. However, when I
    > log
    > > in as this User, I can change the Password to 123 or anything else. I also
    > > try and change the Password for a user I created in a OU I created
    > manually
    > > but still no Policy enforcement.
    > >
    > > This whole thing is driving me crazy. If anyone could just help me and
    > tell
    > > me where to set this Password Policy, and in what way.
    > >
    > > Any help would be much Appreciated.
    > >
    > > Thanks
    > >
    > >
    > >
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I guess you have a corrputed Default Domain Policy files. What is your
    domain? Windows 2000 or Windows 2003?, and how many DC do you have?

    i suggest that you first create a system state backup (just in case), then
    delete your Default Domain Policy. when you try to delete it you will be
    asked to remove the link or delete it entirely, well it's better to only
    remove the link at this point, then if there is no other GPO's on the
    domain, create a new one but name it anything other than "Default Domain
    Policy" for example "My Default Policy" and set the password options you
    want in it.

    After that try to run from the domain controller itself the command "secedit
    /refreshpolicy machine_policy /enforce" if its a Windows2000 DC, or
    "gpupdate
    /force" if its a Windows2003 DC. if you have multiple DC's then first wait
    for
    about 10 mins then issue that command on them all. If you can restart
    the DC, it would be better and you will not need to run these commands

    After that open AD Users & Computers and create a test account and try
    playing with its password length and reset it to wrong and right values and
    see if it working.

    i'm sorry about the 90 min thing, it was related to something else, its how
    long
    client computers refresh thier policy from the domain, its not related to
    your problem, yours is with the domain controller not the clients

    When you open the domain properties and click on the new button to create a
    GPO, you usualy create and link a GPO to the domain at the same time,
    however in some situations you can or might want to create a GPO without
    linking it to the domain. so its there but with no effect.

    Try it and tell me, Hope this will work
    Yours truly,
    Mohammed A. Raslan
    Systems Engineer / Consultant
    MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
    Mobile: +20 (12) 36 26 112 / +965 978 1969
    E-Mail: m_raslan@link.net.removethis


    "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    news:0A6491AF-C78C-48EA-92D3-035B67746828@microsoft.com...
    > Hey Mohammed
    >
    > Thanks for the feedback.
    >
    > I logged on to the DC as the Domain Administrator and when I go to AD
    Users
    > And Computers, Domain Properties, Group Policy, Default Domain Policy,
    > Computer Configuration, Windows Setting, Security Settings, I only have
    > Public Key Policies and IP Security Policies on AD. There is no Account
    > Policies, Local Policies etc.
    >
    > You said, if I create a new GPO I should link it to the Domain. How do I
    do
    > this, I thought if it is created in the same place as the Deafault Domain
    > Policy it should go out to the whole Domain.
    >
    > I also did wait for more than 90 minutes but nothing happened.
    >
    > If I go to the Default Domain Policy Properties, under Security I have my
    > name with Full Control. Under Links, if I click Find Now, it only shows my
    > Domain.
    >
    >
    >
    > "Mohammed A. Raslan" wrote:
    >
    > > You where in the right place, its in the "Default Domain Policy" >
    "Computer
    > > Configuration" > "Windows Settings" > "Security Settings" > "Account
    > > Policies" > "Password Policies"
    > > You should be able to change it if you are using the administrator
    account.
    > >
    > > You can change the password settings in the "Default Domain Policy" or
    even
    > > create a new GPO, however, note that if you create a new one, it must be
    > > linked to the domain (not to OUs or any other type of containers), and
    it
    > > must be on the top of the list of the GPO's linked to the domain (there
    as
    > > special cases but it's better that way).
    > >
    > > Another thing is that you must refresh the computer policy on all
    clients
    > > for the policy to take effect, you can either restart all machines in
    the
    > > domain or wait for about 90mins or run "Secedit /refreshpolicy
    > > machine_policy /enforce" from Windows2000 machines and "gpupdate
    > > /target:computer /force" from Windows XP and Windows 2003 servers
    > >
    > > --
    > > Yours truly,
    > > Mohammed A. Raslan
    > > Systems Engineer / Consultant
    > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
    > > Mobile: +20 (12) 36 26 112 / +965 978 1969
    > > E-Mail: m_raslan@link.net.removethis
    > >
    > >
    > > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    > > news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
    > > > I have been trying to set up the Password Policy for a few days now,
    but I
    > > > just can’t get it to work. I’ll just explain what I’m doing and maybe
    > > someone
    > > > can give me some pointers.
    > > >
    > > > When I right click on our Domain in AD Users and Computers, Click
    > > Properties
    > > > and then select the Group Policy tab, I only have Default Domain
    Policy.
    > > >
    > > > First of all, should I be able to change settings in this Policy, like
    > > when
    > > > I edit it, go into Computer Configuration, Windows Setting, Security
    > > > Settings. Should I find the Account Policies – Password Policy in
    there or
    > > is
    > > > the Default Domain Policy not for these types of things. I can also
    not
    > > > expand the Administrative Templates. I am thinking that b/c this is a
    > > Default
    > > > Policy, I am not able to change it. Or could it be that I do not have
    the
    > > > permissions to change it.
    > > >
    > > > Secondly, in the Group Policy tab, I click New and create a new Policy
    > > > called Password Policy. I edit it and go to Computer Configuration,
    > > Windows
    > > > Settings, Security Settings, Account Policies and in Password Policy I
    > > change
    > > > all the Setting to what I want. When I go to a test user created in
    the
    > > Users
    > > > OU, I set the Account to change Password at next logon. However, when
    I
    > > log
    > > > in as this User, I can change the Password to 123 or anything else. I
    also
    > > > try and change the Password for a user I created in a OU I created
    > > manually
    > > > but still no Policy enforcement.
    > > >
    > > > This whole thing is driving me crazy. If anyone could just help me and
    > > tell
    > > > me where to set this Password Policy, and in what way.
    > > >
    > > > Any help would be much Appreciated.
    > > >
    > > > Thanks
    > > >
    > > >
    > > >
    > >
    > >
    > >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    It turned out my Default Domain Policy was corrupt. I used recreateDefPol.exe
    (Windows 2000 Server only, same as dcgpofix.exe) to repair it and now it
    works fine. Thanks for all the help, I really appreciate it.


    "Mohammed A. Raslan" wrote:

    > I guess you have a corrputed Default Domain Policy files. What is your
    > domain? Windows 2000 or Windows 2003?, and how many DC do you have?
    >
    > i suggest that you first create a system state backup (just in case), then
    > delete your Default Domain Policy. when you try to delete it you will be
    > asked to remove the link or delete it entirely, well it's better to only
    > remove the link at this point, then if there is no other GPO's on the
    > domain, create a new one but name it anything other than "Default Domain
    > Policy" for example "My Default Policy" and set the password options you
    > want in it.
    >
    > After that try to run from the domain controller itself the command "secedit
    > /refreshpolicy machine_policy /enforce" if its a Windows2000 DC, or
    > "gpupdate
    > /force" if its a Windows2003 DC. if you have multiple DC's then first wait
    > for
    > about 10 mins then issue that command on them all. If you can restart
    > the DC, it would be better and you will not need to run these commands
    >
    > After that open AD Users & Computers and create a test account and try
    > playing with its password length and reset it to wrong and right values and
    > see if it working.
    >
    > i'm sorry about the 90 min thing, it was related to something else, its how
    > long
    > client computers refresh thier policy from the domain, its not related to
    > your problem, yours is with the domain controller not the clients
    >
    > When you open the domain properties and click on the new button to create a
    > GPO, you usualy create and link a GPO to the domain at the same time,
    > however in some situations you can or might want to create a GPO without
    > linking it to the domain. so its there but with no effect.
    >
    > Try it and tell me, Hope this will work
    > Yours truly,
    > Mohammed A. Raslan
    > Systems Engineer / Consultant
    > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
    > Mobile: +20 (12) 36 26 112 / +965 978 1969
    > E-Mail: m_raslan@link.net.removethis
    >
    >
    > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    > news:0A6491AF-C78C-48EA-92D3-035B67746828@microsoft.com...
    > > Hey Mohammed
    > >
    > > Thanks for the feedback.
    > >
    > > I logged on to the DC as the Domain Administrator and when I go to AD
    > Users
    > > And Computers, Domain Properties, Group Policy, Default Domain Policy,
    > > Computer Configuration, Windows Setting, Security Settings, I only have
    > > Public Key Policies and IP Security Policies on AD. There is no Account
    > > Policies, Local Policies etc.
    > >
    > > You said, if I create a new GPO I should link it to the Domain. How do I
    > do
    > > this, I thought if it is created in the same place as the Deafault Domain
    > > Policy it should go out to the whole Domain.
    > >
    > > I also did wait for more than 90 minutes but nothing happened.
    > >
    > > If I go to the Default Domain Policy Properties, under Security I have my
    > > name with Full Control. Under Links, if I click Find Now, it only shows my
    > > Domain.
    > >
    > >
    > >
    > > "Mohammed A. Raslan" wrote:
    > >
    > > > You where in the right place, its in the "Default Domain Policy" >
    > "Computer
    > > > Configuration" > "Windows Settings" > "Security Settings" > "Account
    > > > Policies" > "Password Policies"
    > > > You should be able to change it if you are using the administrator
    > account.
    > > >
    > > > You can change the password settings in the "Default Domain Policy" or
    > even
    > > > create a new GPO, however, note that if you create a new one, it must be
    > > > linked to the domain (not to OUs or any other type of containers), and
    > it
    > > > must be on the top of the list of the GPO's linked to the domain (there
    > as
    > > > special cases but it's better that way).
    > > >
    > > > Another thing is that you must refresh the computer policy on all
    > clients
    > > > for the policy to take effect, you can either restart all machines in
    > the
    > > > domain or wait for about 90mins or run "Secedit /refreshpolicy
    > > > machine_policy /enforce" from Windows2000 machines and "gpupdate
    > > > /target:computer /force" from Windows XP and Windows 2003 servers
    > > >
    > > > --
    > > > Yours truly,
    > > > Mohammed A. Raslan
    > > > Systems Engineer / Consultant
    > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
    > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
    > > > E-Mail: m_raslan@link.net.removethis
    > > >
    > > >
    > > > "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    > > > news:CA544896-FFEC-4859-A1EF-4C73B7F078BB@microsoft.com...
    > > > > I have been trying to set up the Password Policy for a few days now,
    > but I
    > > > > just can’t get it to work. I’ll just explain what I’m doing and maybe
    > > > someone
    > > > > can give me some pointers.
    > > > >
    > > > > When I right click on our Domain in AD Users and Computers, Click
    > > > Properties
    > > > > and then select the Group Policy tab, I only have Default Domain
    > Policy.
    > > > >
    > > > > First of all, should I be able to change settings in this Policy, like
    > > > when
    > > > > I edit it, go into Computer Configuration, Windows Setting, Security
    > > > > Settings. Should I find the Account Policies – Password Policy in
    > there or
    > > > is
    > > > > the Default Domain Policy not for these types of things. I can also
    > not
    > > > > expand the Administrative Templates. I am thinking that b/c this is a
    > > > Default
    > > > > Policy, I am not able to change it. Or could it be that I do not have
    > the
    > > > > permissions to change it.
    > > > >
    > > > > Secondly, in the Group Policy tab, I click New and create a new Policy
    > > > > called Password Policy. I edit it and go to Computer Configuration,
    > > > Windows
    > > > > Settings, Security Settings, Account Policies and in Password Policy I
    > > > change
    > > > > all the Setting to what I want. When I go to a test user created in
    > the
    > > > Users
    > > > > OU, I set the Account to change Password at next logon. However, when
    > I
    > > > log
    > > > > in as this User, I can change the Password to 123 or anything else. I
    > also
    > > > > try and change the Password for a user I created in a OU I created
    > > > manually
    > > > > but still no Policy enforcement.
    > > > >
    > > > > This whole thing is driving me crazy. If anyone could just help me and
    > > > tell
    > > > > me where to set this Password Policy, and in what way.
    > > > >
    > > > > Any help would be much Appreciated.
    > > > >
    > > > > Thanks
    > > > >
    > > > >
    > > > >
    > > >
    > > >
    > > >
    >
    >
    >
    >
Ask a new question

Read More

Policy Active Directory Windows