GPO Password Policy Problem

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

A GPO was created to require password complexity requirements. After
applying the GPO, the policy works. However, I'm not ready to implement it;
so, I decided to disable it. With the GPO already disabled, the AD still
demand the complexity requirement. When I go to AD Users and Computers and
reset password, it always asked for the complexity requirement. Any idea?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You can't just disable the GPO - you have to undo the policy setting.
Enable the GPO, and change the policy setting that requires password
complexity from enabled to disabled.

The next time this GPO is applied by the DCs they will change the attribute
that configures this option and the option will no longer be enforced. You
can then disable the GPO if you like, although most if it won't be applied
after it's applied originally.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"cjc" <cjc@discussions.microsoft.com> wrote in message
news:5A6DB0EE-F453-4476-A6CA-93FF17FAFC57@microsoft.com...
A GPO was created to require password complexity requirements. After
applying the GPO, the policy works. However, I'm not ready to implement it;
so, I decided to disable it. With the GPO already disabled, the AD still
demand the complexity requirement. When I go to AD Users and Computers and
reset password, it always asked for the complexity requirement. Any idea?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

What event would cause GPO to be applied by the DCs?

"ptwilliams" wrote:

> You can't just disable the GPO - you have to undo the policy setting.
> Enable the GPO, and change the policy setting that requires password
> complexity from enabled to disabled.
>
> The next time this GPO is applied by the DCs they will change the attribute
> that configures this option and the option will no longer be enforced. You
> can then disable the GPO if you like, although most if it won't be applied
> after it's applied originally.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "cjc" <cjc@discussions.microsoft.com> wrote in message
> news:5A6DB0EE-F453-4476-A6CA-93FF17FAFC57@microsoft.com...
> A GPO was created to require password complexity requirements. After
> applying the GPO, the policy works. However, I'm not ready to implement it;
> so, I decided to disable it. With the GPO already disabled, the AD still
> demand the complexity requirement. When I go to AD Users and Computers and
> reset password, it always asked for the complexity requirement. Any idea?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm getting the same result. What event would caused the DC to apply the GPO?

"ptwilliams" wrote:

> You can't just disable the GPO - you have to undo the policy setting.
> Enable the GPO, and change the policy setting that requires password
> complexity from enabled to disabled.
>
> The next time this GPO is applied by the DCs they will change the attribute
> that configures this option and the option will no longer be enforced. You
> can then disable the GPO if you like, although most if it won't be applied
> after it's applied originally.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "cjc" <cjc@discussions.microsoft.com> wrote in message
> news:5A6DB0EE-F453-4476-A6CA-93FF17FAFC57@microsoft.com...
> A GPO was created to require password complexity requirements. After
> applying the GPO, the policy works. However, I'm not ready to implement it;
> so, I decided to disable it. With the GPO already disabled, the AD still
> demand the complexity requirement. When I go to AD Users and Computers and
> reset password, it always asked for the complexity requirement. Any idea?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"cjc" <cjc@discussions.microsoft.com> wrote in message
news:63297677-D5D9-47D2-A5F3-AF7C0F558E55@microsoft.com...
> What event would cause GPO to be applied by the DCs?

5 minute default refresh (for DCs*)
....or reboot
....or manual refresh with secedit (on Win2000)
....(or GPUpdate on Win2003/XP)


Also: *90 minute default on workstations

Such refreshes do not (typically) update software but
only perform Security and Registry settings.

> "ptwilliams" wrote:
>
> > You can't just disable the GPO - you have to undo the policy setting.
> > Enable the GPO, and change the policy setting that requires password
> > complexity from enabled to disabled.
> >
> > The next time this GPO is applied by the DCs they will change the
attribute
> > that configures this option and the option will no longer be enforced.
You
> > can then disable the GPO if you like, although most if it won't be
applied
> > after it's applied originally.



--
Herb Martin


> >
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "cjc" <cjc@discussions.microsoft.com> wrote in message
> > news:5A6DB0EE-F453-4476-A6CA-93FF17FAFC57@microsoft.com...
> > A GPO was created to require password complexity requirements. After
> > applying the GPO, the policy works. However, I'm not ready to implement
it;
> > so, I decided to disable it. With the GPO already disabled, the AD
still
> > demand the complexity requirement. When I go to AD Users and Computers
and
> > reset password, it always asked for the complexity requirement. Any
idea?
> >
> >
> >

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The catch with these kinds of security policies is that they leave a
fingerprint on the whole domain. You can't just take them out of scope and
expect them to go away. You need to create a policy that specifically
counteracts your previous settings and apply that to your domain.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services

"cjc" <cjc@discussions.microsoft.com> wrote in message
news:7E17419C-706C-47CA-B9C5-5D6F3E00F810@microsoft.com...
> I'm getting the same result. What event would caused the DC to apply the
> GPO?
>
> "ptwilliams" wrote:
>
>> You can't just disable the GPO - you have to undo the policy setting.
>> Enable the GPO, and change the policy setting that requires password
>> complexity from enabled to disabled.
>>
>> The next time this GPO is applied by the DCs they will change the
>> attribute
>> that configures this option and the option will no longer be enforced.
>> You
>> can then disable the GPO if you like, although most if it won't be
>> applied
>> after it's applied originally.
>>
>>
>> --
>>
>> Paul Williams
>>
>> http://www.msresource.net/
>> http://forums.msresource.net/
>>
>> "cjc" <cjc@discussions.microsoft.com> wrote in message
>> news:5A6DB0EE-F453-4476-A6CA-93FF17FAFC57@microsoft.com...
>> A GPO was created to require password complexity requirements. After
>> applying the GPO, the policy works. However, I'm not ready to implement
>> it;
>> so, I decided to disable it. With the GPO already disabled, the AD still
>> demand the complexity requirement. When I go to AD Users and Computers
>> and
>> reset password, it always asked for the complexity requirement. Any
>> idea?
>>
>>
>>