Password Policy Reset to the old setting, Why?

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all!
We have a W2000-Single Domain with 260 DC and 13000 Users. Curently we have
a Password-Policy (set at Domain Security Policy):

Enforce Password History=1 password remmeberd
Maximum password age=999 days
Minimum password age=0 days
Minimum password length=5 characters
Password must meet complexity requirements=disabled
Store password using reversible encryption for all users in the
domain=disabled

we want to change 2 things as this the customer wishes:

Minimum password length=6 characters
Password must meet complexity requirements=enabled

OK, we do it, and after a random time (about 1 minutes to 10 minutes or more)
the policy is again like the old one.
I see in SecurityEventLog, that system-user reset this to the old policy.
Any idea?
Policy change works well in Test-Enviroment. I can't understand why this in
production enviroment, the 2 domain are comletley same.
Also I've changed about 5 months ago the policy:
Maximum password age
from default 42 days to 999 days, and that was not a problem.
we have disabled Norton, Tivoli, any other things, that could be a problem,
but nothing.
we consult microsoft premium support, they have no idea there.
any help from you?
thanks a lot

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Homa wrote:
> Hi all!
> We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
> we have a Password-Policy (set at Domain Security Policy):

I'm not a group policy expert, but I think you want to do this in your
default domain policy, don't you?
>
> Enforce Password History=1 password remmeberd
> Maximum password age=999 days
> Minimum password age=0 days
> Minimum password length=5 characters
> Password must meet complexity requirements=disabled
> Store password using reversible encryption for all users in the
> domain=disabled
>
> we want to change 2 things as this the customer wishes:
>
> Minimum password length=6 characters

I'd do 8.

> Password must meet complexity requirements=enabled

That's good.

Also you should force regular password changes - every 90 days at least.
>
> OK, we do it, and after a random time (about 1 minutes to 10 minutes
> or more) the policy is again like the old one.
> I see in SecurityEventLog, that system-user reset this to the old
> policy. Any idea?
> Policy change works well in Test-Enviroment. I can't understand why
> this in production enviroment, the 2 domain are comletley same.
> Also I've changed about 5 months ago the policy:
> Maximum password age
> from default 42 days to 999 days, and that was not a problem.
> we have disabled Norton, Tivoli, any other things, that could be a
> problem, but nothing.
> we consult microsoft premium support, they have no idea there.
> any help from you?
> thanks a lot

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:Oxg46U63EHA.2156@TK2MSFTNGP10.phx.gbl...
> Homa wrote:
> > Hi all!
> > We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
> > we have a Password-Policy (set at Domain Security Policy):
>
> I'm not a group policy expert, but I think you want to do this in your
> default domain policy, don't you?

Password policies must be at the domain level to function,
but it is not necessary to put it in the "Default" Domain
Policy.

As a genaral rule it is a poor idea to modify the two Default
policies but preferable to create you own.

> > Enforce Password History=1 password remmeberd
> > Maximum password age=999 days
> > Minimum password age=0 days
> > Minimum password length=5 characters
> > Password must meet complexity requirements=disabled
> > Store password using reversible encryption for all users in the
> > domain=disabled
> >
> > we want to change 2 things as this the customer wishes:
> >
> > Minimum password length=6 characters
>
> I'd do 8.

I would do 14 (or more).

I have seen a 14 broken in under 20 seconds.

> > Password must meet complexity requirements=enabled
>
> That's good.

And the 20 seconds was against one with SEMI-complexity,
i.e., UPPER, lower case and numbers.

> Also you should force regular password changes - every 90 days at least.
> >
> > OK, we do it, and after a random time (about 1 minutes to 10 minutes
> > or more) the policy is again like the old one.

One wonders if it is also in the Default or another policy
linked afterwards, i.e., HIGHER on the original user
infterface from Win2000.

> > I see in SecurityEventLog, that system-user reset this to the old
> > policy. Any idea?
> > Policy change works well in Test-Enviroment. I can't understand why
> > this in production enviroment, the 2 domain are comletley same.
> > Also I've changed about 5 months ago the policy:
> > Maximum password age
> > from default 42 days to 999 days, and that was not a problem.
> > we have disabled Norton, Tivoli, any other things, that could be a
> > problem, but nothing.
> > we consult microsoft premium support, they have no idea there.
> > any help from you?
> > thanks a lot

Likely multiple policies at the domain level -- which is
fine -- but the one with the correct setting is not applied
last.

--
Herb Martin

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Herb Martin!
thx for reply,
we want to find the reason, why the default domain policy reset to old
setting,
I suggest microsoft premium support one week ago, that we could create our
own policy for desired setting and give it a higher priority, so the problem
should solve, but as this a mystery for microsoft, they want to experiment
with our enviroment to find the reason (they call us to collect this log,
that log and so on), but they could'nt find until now the reason for this
mystery. so I think next week they tell us to solve the problem we should
create another policy with.... and sell us this as their own solution.
you are right, the old policy is not better as the one we want, it is poor
as well, but so wishes the customer.

"Herb Martin" wrote:

> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
> news:Oxg46U63EHA.2156@TK2MSFTNGP10.phx.gbl...
> > Homa wrote:
> > > Hi all!
> > > We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
> > > we have a Password-Policy (set at Domain Security Policy):
> >
> > I'm not a group policy expert, but I think you want to do this in your
> > default domain policy, don't you?
>
> Password policies must be at the domain level to function,
> but it is not necessary to put it in the "Default" Domain
> Policy.
>
> As a genaral rule it is a poor idea to modify the two Default
> policies but preferable to create you own.
>
> > > Enforce Password History=1 password remmeberd
> > > Maximum password age=999 days
> > > Minimum password age=0 days
> > > Minimum password length=5 characters
> > > Password must meet complexity requirements=disabled
> > > Store password using reversible encryption for all users in the
> > > domain=disabled
> > >
> > > we want to change 2 things as this the customer wishes:
> > >
> > > Minimum password length=6 characters
> >
> > I'd do 8.
>
> I would do 14 (or more).
>
> I have seen a 14 broken in under 20 seconds.
>
> > > Password must meet complexity requirements=enabled
> >
> > That's good.
>
> And the 20 seconds was against one with SEMI-complexity,
> i.e., UPPER, lower case and numbers.
>
> > Also you should force regular password changes - every 90 days at least.
> > >
> > > OK, we do it, and after a random time (about 1 minutes to 10 minutes
> > > or more) the policy is again like the old one.
>
> One wonders if it is also in the Default or another policy
> linked afterwards, i.e., HIGHER on the original user
> infterface from Win2000.
>
> > > I see in SecurityEventLog, that system-user reset this to the old
> > > policy. Any idea?
> > > Policy change works well in Test-Enviroment. I can't understand why
> > > this in production enviroment, the 2 domain are comletley same.
> > > Also I've changed about 5 months ago the policy:
> > > Maximum password age
> > > from default 42 days to 999 days, and that was not a problem.
> > > we have disabled Norton, Tivoli, any other things, that could be a
> > > problem, but nothing.
> > > we consult microsoft premium support, they have no idea there.
> > > any help from you?
> > > thanks a lot
>
> Likely multiple policies at the domain level -- which is
> fine -- but the one with the correct setting is not applied
> last.
>
> --
> Herb Martin
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Homa,

The password policy settings are stored in gpttmpl.inf file in sysvol under
the policy GUID.
The only thing I can think of is antivirus or backup causing file updates
which FRS treats as last writer wins.
You modify the policy on the PDC (gpttmpl.inf), and as that update is
replicating around, anitvirus or backup on some DC causes an update to the
same file (original content) as it scans it. FRS then pushes this update
around as the authoritative update.

Are you sure you disabled AV and backups in SYSVOL on ALL 260 DCs?


--
Glenn L
CCNA, MCSE 2000/2003 + Security

"Homa" <Homa@discussions.microsoft.com> wrote in message
news:9418602E-7407-4104-9C96-14E11067B722@microsoft.com...
> Hi Herb Martin!
> thx for reply,
> we want to find the reason, why the default domain policy reset to old
> setting,
> I suggest microsoft premium support one week ago, that we could create our
> own policy for desired setting and give it a higher priority, so the
> problem
> should solve, but as this a mystery for microsoft, they want to experiment
> with our enviroment to find the reason (they call us to collect this log,
> that log and so on), but they could'nt find until now the reason for this
> mystery. so I think next week they tell us to solve the problem we should
> create another policy with.... and sell us this as their own solution.
> you are right, the old policy is not better as the one we want, it is poor
> as well, but so wishes the customer.
>
> "Herb Martin" wrote:
>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>> message
>> news:Oxg46U63EHA.2156@TK2MSFTNGP10.phx.gbl...
>> > Homa wrote:
>> > > Hi all!
>> > > We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
>> > > we have a Password-Policy (set at Domain Security Policy):
>> >
>> > I'm not a group policy expert, but I think you want to do this in your
>> > default domain policy, don't you?
>>
>> Password policies must be at the domain level to function,
>> but it is not necessary to put it in the "Default" Domain
>> Policy.
>>
>> As a genaral rule it is a poor idea to modify the two Default
>> policies but preferable to create you own.
>>
>> > > Enforce Password History=1 password remmeberd
>> > > Maximum password age=999 days
>> > > Minimum password age=0 days
>> > > Minimum password length=5 characters
>> > > Password must meet complexity requirements=disabled
>> > > Store password using reversible encryption for all users in the
>> > > domain=disabled
>> > >
>> > > we want to change 2 things as this the customer wishes:
>> > >
>> > > Minimum password length=6 characters
>> >
>> > I'd do 8.
>>
>> I would do 14 (or more).
>>
>> I have seen a 14 broken in under 20 seconds.
>>
>> > > Password must meet complexity requirements=enabled
>> >
>> > That's good.
>>
>> And the 20 seconds was against one with SEMI-complexity,
>> i.e., UPPER, lower case and numbers.
>>
>> > Also you should force regular password changes - every 90 days at
>> > least.
>> > >
>> > > OK, we do it, and after a random time (about 1 minutes to 10 minutes
>> > > or more) the policy is again like the old one.
>>
>> One wonders if it is also in the Default or another policy
>> linked afterwards, i.e., HIGHER on the original user
>> infterface from Win2000.
>>
>> > > I see in SecurityEventLog, that system-user reset this to the old
>> > > policy. Any idea?
>> > > Policy change works well in Test-Enviroment. I can't understand why
>> > > this in production enviroment, the 2 domain are comletley same.
>> > > Also I've changed about 5 months ago the policy:
>> > > Maximum password age
>> > > from default 42 days to 999 days, and that was not a problem.
>> > > we have disabled Norton, Tivoli, any other things, that could be a
>> > > problem, but nothing.
>> > > we consult microsoft premium support, they have no idea there.
>> > > any help from you?
>> > > thanks a lot
>>
>> Likely multiple policies at the domain level -- which is
>> fine -- but the one with the correct setting is not applied
>> last.
>>
>> --
>> Herb Martin
>>
>>
>>
>>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Glenn!
thx for reply,
yes, we did disable AV (symantec corp.) and we do not have any
backup-software on our systmes (too expensive for customer)
but the old settinges came again.

"Glenn L" wrote:

> Homa,
>
> The password policy settings are stored in gpttmpl.inf file in sysvol under
> the policy GUID.
> The only thing I can think of is antivirus or backup causing file updates
> which FRS treats as last writer wins.
> You modify the policy on the PDC (gpttmpl.inf), and as that update is
> replicating around, anitvirus or backup on some DC causes an update to the
> same file (original content) as it scans it. FRS then pushes this update
> around as the authoritative update.
>
> Are you sure you disabled AV and backups in SYSVOL on ALL 260 DCs?
>
>
> --
> Glenn L
> CCNA, MCSE 2000/2003 + Security
>
> "Homa" <Homa@discussions.microsoft.com> wrote in message
> news:9418602E-7407-4104-9C96-14E11067B722@microsoft.com...
> > Hi Herb Martin!
> > thx for reply,
> > we want to find the reason, why the default domain policy reset to old
> > setting,
> > I suggest microsoft premium support one week ago, that we could create our
> > own policy for desired setting and give it a higher priority, so the
> > problem
> > should solve, but as this a mystery for microsoft, they want to experiment
> > with our enviroment to find the reason (they call us to collect this log,
> > that log and so on), but they could'nt find until now the reason for this
> > mystery. so I think next week they tell us to solve the problem we should
> > create another policy with.... and sell us this as their own solution.
> > you are right, the old policy is not better as the one we want, it is poor
> > as well, but so wishes the customer.
> >
> > "Herb Martin" wrote:
> >
> >> "Lanwench [MVP - Exchange]"
> >> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> >> message
> >> news:Oxg46U63EHA.2156@TK2MSFTNGP10.phx.gbl...
> >> > Homa wrote:
> >> > > Hi all!
> >> > > We have a W2000-Single Domain with 260 DC and 13000 Users. Curently
> >> > > we have a Password-Policy (set at Domain Security Policy):
> >> >
> >> > I'm not a group policy expert, but I think you want to do this in your
> >> > default domain policy, don't you?
> >>
> >> Password policies must be at the domain level to function,
> >> but it is not necessary to put it in the "Default" Domain
> >> Policy.
> >>
> >> As a genaral rule it is a poor idea to modify the two Default
> >> policies but preferable to create you own.
> >>
> >> > > Enforce Password History=1 password remmeberd
> >> > > Maximum password age=999 days
> >> > > Minimum password age=0 days
> >> > > Minimum password length=5 characters
> >> > > Password must meet complexity requirements=disabled
> >> > > Store password using reversible encryption for all users in the
> >> > > domain=disabled
> >> > >
> >> > > we want to change 2 things as this the customer wishes:
> >> > >
> >> > > Minimum password length=6 characters
> >> >
> >> > I'd do 8.
> >>
> >> I would do 14 (or more).
> >>
> >> I have seen a 14 broken in under 20 seconds.
> >>
> >> > > Password must meet complexity requirements=enabled
> >> >
> >> > That's good.
> >>
> >> And the 20 seconds was against one with SEMI-complexity,
> >> i.e., UPPER, lower case and numbers.
> >>
> >> > Also you should force regular password changes - every 90 days at
> >> > least.
> >> > >
> >> > > OK, we do it, and after a random time (about 1 minutes to 10 minutes
> >> > > or more) the policy is again like the old one.
> >>
> >> One wonders if it is also in the Default or another policy
> >> linked afterwards, i.e., HIGHER on the original user
> >> infterface from Win2000.
> >>
> >> > > I see in SecurityEventLog, that system-user reset this to the old
> >> > > policy. Any idea?
> >> > > Policy change works well in Test-Enviroment. I can't understand why
> >> > > this in production enviroment, the 2 domain are comletley same.
> >> > > Also I've changed about 5 months ago the policy:
> >> > > Maximum password age
> >> > > from default 42 days to 999 days, and that was not a problem.
> >> > > we have disabled Norton, Tivoli, any other things, that could be a
> >> > > problem, but nothing.
> >> > > we consult microsoft premium support, they have no idea there.
> >> > > any help from you?
> >> > > thanks a lot
> >>
> >> Likely multiple policies at the domain level -- which is
> >> fine -- but the one with the correct setting is not applied
> >> last.
> >>
> >> --
> >> Herb Martin
> >>
> >>
> >>
> >>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ensure that two Group Policy Settings are not disabled for the Default Domain
Policy and also the Local Policy on each Domain Controller. You can review
and or modify these settings locally by running gpedit.msc from the Run box
on the start Menu.

Computer Configuration\Administrative Templates\Group Policy\Turn Off
Background Refresh of Group Policy - Ensure that this setting is not set to
"Disabled"

Computer Configuration\Administrative Templates\Group Policy\Group Policy
refresh Interval for Domain Controllers - Ensure that this setting is also
not set to "Disabled"

Reboot the Domain Controller or run GPUPDATE/FORCE if you are running
WIndows 2003.

Best regards,

John Powell

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

thx for reply,
No this settings are not configured

"John Powell" wrote:

> Ensure that two Group Policy Settings are not disabled for the Default Domain
> Policy and also the Local Policy on each Domain Controller. You can review
> and or modify these settings locally by running gpedit.msc from the Run box
> on the start Menu.
>
> Computer Configuration\Administrative Templates\Group Policy\Turn Off
> Background Refresh of Group Policy - Ensure that this setting is not set to
> "Disabled"
>
> Computer Configuration\Administrative Templates\Group Policy\Group Policy
> refresh Interval for Domain Controllers - Ensure that this setting is also
> not set to "Disabled"
>
> Reboot the Domain Controller or run GPUPDATE/FORCE if you are running
> WIndows 2003.
>
> Best regards,
>
> John Powell
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Try disabling all other GPs at the Domain level and change only the security
policies "Default Domain Policy".

If this is not possible, create an entirely new GP and place it above all GPs
with the desired settings. Enable "No override / Enforce".

Hope this helps.


"Homa" wrote:

> Hi all!
> We have a W2000-Single Domain with 260 DC and 13000 Users. Curently we have
> a Password-Policy (set at Domain Security Policy):
>
> Enforce Password History=1 password remmeberd
> Maximum password age=999 days
> Minimum password age=0 days
> Minimum password length=5 characters
> Password must meet complexity requirements=disabled
> Store password using reversible encryption for all users in the
> domain=disabled
>
> we want to change 2 things as this the customer wishes:
>
> Minimum password length=6 characters
> Password must meet complexity requirements=enabled
>
> OK, we do it, and after a random time (about 1 minutes to 10 minutes or more)
> the policy is again like the old one.
> I see in SecurityEventLog, that system-user reset this to the old policy.
> Any idea?
> Policy change works well in Test-Enviroment. I can't understand why this in
> production enviroment, the 2 domain are comletley same.
> Also I've changed about 5 months ago the policy:
> Maximum password age
> from default 42 days to 999 days, and that was not a problem.
> we have disabled Norton, Tivoli, any other things, that could be a problem,
> but nothing.
> we consult microsoft premium support, they have no idea there.
> any help from you?
> thanks a lot
>
>