Sign-in / Sign-up
Your question

User password group policy

Tags:
  • Policy
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Anonymous
June 21, 2005 2:58:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Okay, we are running Server 2003 with about 100 users. Fresh install with no
customization except the following. We disabled the Default Domain Policy
and broke it up into smaller policies.

One of the policies is a Password Group Policy. The only thing this is
configured for is to handel the password configuration.

The time has just rolled arouond for users to change their password for the
first time. When they are prompted to change their password, it says that it
was changed successfully. The next day when they log on it will only accept
the old password. The password change they made the previous day did not
take effect.

Also, If I do a ctl+alt+del and pick change password no matter what I put in
for the new password it will tell me that the password has already been used.
This is the first time changing passwords on the new system, so I know that
the passwords are unique.

Any idea o what is messing up the passwords?

More about : user password group policy

Anonymous
June 22, 2005 4:36:00 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"dray" wrote:
> Okay, we are running Server 2003 with about 100 users. Fresh
> install with no
> customization except the following. We disabled the Default
> Domain Policy
> and broke it up into smaller policies.
>
> One of the policies is a Password Group Policy. The only
> thing this is
> configured for is to handel the password configuration.
>
> The time has just rolled arouond for users to change their
> password for the
> first time. When they are prompted to change their password,
> it says that it
> was changed successfully. The next day when they log on it
> will only accept
> the old password. The password change they made the previous
> day did not
> take effect.
>
> Also, If I do a ctl+alt+del and pick change password no matter
> what I put in
> for the new password it will tell me that the password has
> already been used.
> This is the first time changing passwords on the new system,
> so I know that
> the passwords are unique.
>
> Any idea o what is messing up the passwords?

Hi,

>>customization except the following. We disabled the Default Domain
>>Policy and broke it up into smaller policies.

1 Can you explain more what you did and to which containers the
smaller GPOs have been linked?
2 Can you also explain why you did this?

Cheers
#JORGE#

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-User-pass...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1736589
Anonymous
June 22, 2005 4:36:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The reason why I did this is because there are some executives in the
company, otherwise known as babies, that have a hard time remembering
passwords so they are set up with different rules. I apply the policies to
only the OU's that we want them to be applied to rather than the whole domain.

More info: Only 1 domain. Also, this morning, I reenabled the default
policy and deactivated the one I made. After I did this I went in and
changed my password. It told me that it was changed successfully, but when I
logged out and back in it told me the password was incorrect. I then
successfully logged in with the old password.

If I go into AD and change the password on a user and force them to change
it when they log in it will accept the new password that they enter. If they
then do a CTL+ALT+DEL and try to change it, it will say it changed, but not
work next log in.

As on now, the default policy is running on the 1 Domain and this is still
happening.

Thanks for the reply.

"Jorge_de_Almeida_Pinto" wrote:

> "dray" wrote:
> > Okay, we are running Server 2003 with about 100 users. Fresh
> > install with no
> > customization except the following. We disabled the Default
> > Domain Policy
> > and broke it up into smaller policies.
> >
> > One of the policies is a Password Group Policy. The only
> > thing this is
> > configured for is to handel the password configuration.
> >
> > The time has just rolled arouond for users to change their
> > password for the
> > first time. When they are prompted to change their password,
> > it says that it
> > was changed successfully. The next day when they log on it
> > will only accept
> > the old password. The password change they made the previous
> > day did not
> > take effect.
> >
> > Also, If I do a ctl+alt+del and pick change password no matter
> > what I put in
> > for the new password it will tell me that the password has
> > already been used.
> > This is the first time changing passwords on the new system,
> > so I know that
> > the passwords are unique.
> >
> > Any idea o what is messing up the passwords?
>
> Hi,
>
> >>customization except the following. We disabled the Default Domain
> >>Policy and broke it up into smaller policies.
>
> 1 Can you explain more what you did and to which containers the
> smaller GPOs have been linked?
> 2 Can you also explain why you did this?
>
> Cheers
> #JORGE#
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.windowsforumz.com/Active-Directory-User-pass...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1736589
>
Anonymous
June 22, 2005 5:39:42 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Not gonna work!

The password policy is set at the Domain level and at the Domain level only.
Any password policy set at the OU level will affect only those computer
account objects that are directly located in that OU and then affect only
those local user accounts, not the domain user account objects! Might be
time to go back to the drawing board!

To help those executives that have a hard time remembering the password you
might want to coach them on using password phrases. Use something like
'SeeSp0tRun!' for 'See Spot Run!'. They simply have to remember that they
need to capitalize the first letter of each word in the phrase and to use
the number '0' instead of the letter 'O' and to add some sort of special
character at the end - or at the front! I used to work in Beverly Hills in
the Entertainment Industry and I understand your pain....they do not like
this stuff and fight it tooth and nail. This sort of thing makes it easier.

You might also want to get the hot fix from Microsoft that gives you a more
descriptive error message ( assuming that you have enable password
complexity ). The generic error message is not very helpful. After
installing the hotfix the user is given an error message that spells out
exactly what he or she needs to include in the 'pass phrase' so that Windows
will accept it.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"dray" <dray@discussions.microsoft.com> wrote in message
news:D B604F3D-9864-4BDA-9624-4DBC4AC5262E@microsoft.com...
> The reason why I did this is because there are some executives in the
> company, otherwise known as babies, that have a hard time remembering
> passwords so they are set up with different rules. I apply the policies
> to
> only the OU's that we want them to be applied to rather than the whole
> domain.
>
> More info: Only 1 domain. Also, this morning, I reenabled the default
> policy and deactivated the one I made. After I did this I went in and
> changed my password. It told me that it was changed successfully, but
> when I
> logged out and back in it told me the password was incorrect. I then
> successfully logged in with the old password.
>
> If I go into AD and change the password on a user and force them to change
> it when they log in it will accept the new password that they enter. If
> they
> then do a CTL+ALT+DEL and try to change it, it will say it changed, but
> not
> work next log in.
>
> As on now, the default policy is running on the 1 Domain and this is still
> happening.
>
> Thanks for the reply.
>
> "Jorge_de_Almeida_Pinto" wrote:
>
>> "dray" wrote:
>> > Okay, we are running Server 2003 with about 100 users. Fresh
>> > install with no
>> > customization except the following. We disabled the Default
>> > Domain Policy
>> > and broke it up into smaller policies.
>> >
>> > One of the policies is a Password Group Policy. The only
>> > thing this is
>> > configured for is to handel the password configuration.
>> >
>> > The time has just rolled arouond for users to change their
>> > password for the
>> > first time. When they are prompted to change their password,
>> > it says that it
>> > was changed successfully. The next day when they log on it
>> > will only accept
>> > the old password. The password change they made the previous
>> > day did not
>> > take effect.
>> >
>> > Also, If I do a ctl+alt+del and pick change password no matter
>> > what I put in
>> > for the new password it will tell me that the password has
>> > already been used.
>> > This is the first time changing passwords on the new system,
>> > so I know that
>> > the passwords are unique.
>> >
>> > Any idea o what is messing up the passwords?
>>
>> Hi,
>>
>> >>customization except the following. We disabled the Default Domain
>> >>Policy and broke it up into smaller policies.
>>
>> 1 Can you explain more what you did and to which containers the
>> smaller GPOs have been linked?
>> 2 Can you also explain why you did this?
>>
>> Cheers
>> #JORGE#
>>
>> --
>> Posted using the http://www.windowsforumz.com interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.windowsforumz.com/Active-Directory-User-pass...
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.windowsforumz.com/eform.php?p=1736589
>>