Password policy settings not applied to clients

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have a Windows 2000 Native Active Directory with 3 controllers. We
changed the Password Policy in the "Default Domain Policy" to the following
settings:

Enforce password history = 10
MAx password age = 180
Min password age = 0
Min password length = 7
Passwords must meet complexity requirements = Enabled

However when a user changes their password, the criteria above are not
used. We tried to set a logon banner about the new password requirements
and that setting replicated to the desktops and are displayed when the user
presses Ctrl + Alt +Del.

I logged into each server and they all have the settings in the default
domain policy, so that replicated fine. I ran dcdiag and all tests passed
for all servers. GPOTool also lists all six policies as being OK, with a
mystery 7th policy that does not appear in the policy list and was last
modified in 2004 (can't figure out how to delete it, see my other post)

We made these changes this morning and they still haven't taken. We've
tried powering off various PCs, running secedit /refreshpolicy
machine_policy and user_policy but that didn't help.

What can we do?

Steve
3 answers Last reply
More about password policy settings applied clients
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Steve,

    Pls check Block Policy Inheritance first.

    Changes Are Not Applied When You Change the Password Policy
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

    br,
    Denis

    "Steve Stormont" <s.stormont@verizon.net> wrote in message
    news:uyMalwddFHA.3032@TK2MSFTNGP10.phx.gbl...
    > We have a Windows 2000 Native Active Directory with 3 controllers. We
    > changed the Password Policy in the "Default Domain Policy" to the
    following
    > settings:
    >
    > Enforce password history = 10
    > MAx password age = 180
    > Min password age = 0
    > Min password length = 7
    > Passwords must meet complexity requirements = Enabled
    >
    > However when a user changes their password, the criteria above are not
    > used. We tried to set a logon banner about the new password requirements
    > and that setting replicated to the desktops and are displayed when the
    user
    > presses Ctrl + Alt +Del.
    >
    > I logged into each server and they all have the settings in the
    default
    > domain policy, so that replicated fine. I ran dcdiag and all tests passed
    > for all servers. GPOTool also lists all six policies as being OK, with a
    > mystery 7th policy that does not appear in the policy list and was last
    > modified in 2004 (can't figure out how to delete it, see my other post)
    >
    > We made these changes this morning and they still haven't taken.
    We've
    > tried powering off various PCs, running secedit /refreshpolicy
    > machine_policy and user_policy but that didn't help.
    >
    > What can we do?
    >
    > Steve
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    That option was not checked anywhere. I was finally able to get the new
    password settings out by doing one of the following (but I'm not sure which)

    1) On one of the domain controllers, I ran :

    SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

    I don't think that was what fixed it as the policy settings had
    propagated to all of the other Domain Controllers, they just weren't getting
    to the clients. Not sure why the above command would have fixed it.

    2) Installed Group Policy Management Console on a Windows XP computer. I
    drilled down to domains -> omni.imsweb.com -> Group Policy Objects and I see
    7 objects, one of them is "Default Domain Controllers Policy". When I click
    on that a message comes up saying "The system cannot find the file
    specified.". I then right-clicked on "Default Domain Controllers Policy"
    and chose the disabled option.

    At some point after doing one of those things, the password policy made it
    to the client. Of course, I didn't wait a large amount of time between
    "fixes", so I don't know which one actually fixed the problem.

    I have since "Enabled" the missing "Default Domain Controllers Policy" and
    after doing so, removed a logon banner which I had set and that change made
    it out to the clients with no problem.

    Steve

    "Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
    message news:OGun8mwdFHA.3012@tk2msftngp13.phx.gbl...
    > Hi Steve,
    >
    > Pls check Block Policy Inheritance first.
    >
    > Changes Are Not Applied When You Change the Password Policy
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
    >
    > br,
    > Denis
    >
    > "Steve Stormont" <s.stormont@verizon.net> wrote in message
    > news:uyMalwddFHA.3032@TK2MSFTNGP10.phx.gbl...
    >> We have a Windows 2000 Native Active Directory with 3 controllers.
    >> We
    >> changed the Password Policy in the "Default Domain Policy" to the
    > following
    >> settings:
    >>
    >> Enforce password history = 10
    >> MAx password age = 180
    >> Min password age = 0
    >> Min password length = 7
    >> Passwords must meet complexity requirements = Enabled
    >>
    >> However when a user changes their password, the criteria above are
    >> not
    >> used. We tried to set a logon banner about the new password requirements
    >> and that setting replicated to the desktops and are displayed when the
    > user
    >> presses Ctrl + Alt +Del.
    >>
    >> I logged into each server and they all have the settings in the
    > default
    >> domain policy, so that replicated fine. I ran dcdiag and all tests
    >> passed
    >> for all servers. GPOTool also lists all six policies as being OK, with a
    >> mystery 7th policy that does not appear in the policy list and was last
    >> modified in 2004 (can't figure out how to delete it, see my other post)
    >>
    >> We made these changes this morning and they still haven't taken.
    > We've
    >> tried powering off various PCs, running secedit /refreshpolicy
    >> machine_policy and user_policy but that didn't help.
    >>
    >> What can we do?
    >>
    >> Steve
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Steve,

    1) This just refreshes the machine policy on your DC. That's nothing to do
    with your clients.

    2) Yes, you have missing DDCP. On your other post, I suggested you to reset
    your missing policy. This is probably the problem point.

    br,
    Denis

    "Lisa Stormont" <LStormont@cavtel.net> wrote in message
    news:%23yOosPydFHA.2288@TK2MSFTNGP14.phx.gbl...
    > That option was not checked anywhere. I was finally able to get the new
    > password settings out by doing one of the following (but I'm not sure
    which)
    >
    > 1) On one of the domain controllers, I ran :
    >
    > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
    >
    > I don't think that was what fixed it as the policy settings had
    > propagated to all of the other Domain Controllers, they just weren't
    getting
    > to the clients. Not sure why the above command would have fixed it.
    >
    > 2) Installed Group Policy Management Console on a Windows XP computer. I
    > drilled down to domains -> omni.imsweb.com -> Group Policy Objects and I
    see
    > 7 objects, one of them is "Default Domain Controllers Policy". When I
    click
    > on that a message comes up saying "The system cannot find the file
    > specified.". I then right-clicked on "Default Domain Controllers Policy"
    > and chose the disabled option.
    >
    > At some point after doing one of those things, the password policy made
    it
    > to the client. Of course, I didn't wait a large amount of time between
    > "fixes", so I don't know which one actually fixed the problem.
    >
    > I have since "Enabled" the missing "Default Domain Controllers Policy"
    and
    > after doing so, removed a logon banner which I had set and that change
    made
    > it out to the clients with no problem.
    >
    > Steve
    >
    > "Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
    > message news:OGun8mwdFHA.3012@tk2msftngp13.phx.gbl...
    > > Hi Steve,
    > >
    > > Pls check Block Policy Inheritance first.
    > >
    > > Changes Are Not Applied When You Change the Password Policy
    > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
    > >
    > > br,
    > > Denis
    > >
    > > "Steve Stormont" <s.stormont@verizon.net> wrote in message
    > > news:uyMalwddFHA.3032@TK2MSFTNGP10.phx.gbl...
    > >> We have a Windows 2000 Native Active Directory with 3 controllers.
    > >> We
    > >> changed the Password Policy in the "Default Domain Policy" to the
    > > following
    > >> settings:
    > >>
    > >> Enforce password history = 10
    > >> MAx password age = 180
    > >> Min password age = 0
    > >> Min password length = 7
    > >> Passwords must meet complexity requirements = Enabled
    > >>
    > >> However when a user changes their password, the criteria above are
    > >> not
    > >> used. We tried to set a logon banner about the new password
    requirements
    > >> and that setting replicated to the desktops and are displayed when the
    > > user
    > >> presses Ctrl + Alt +Del.
    > >>
    > >> I logged into each server and they all have the settings in the
    > > default
    > >> domain policy, so that replicated fine. I ran dcdiag and all tests
    > >> passed
    > >> for all servers. GPOTool also lists all six policies as being OK, with
    a
    > >> mystery 7th policy that does not appear in the policy list and was last
    > >> modified in 2004 (can't figure out how to delete it, see my other post)
    > >>
    > >> We made these changes this morning and they still haven't taken.
    > > We've
    > >> tried powering off various PCs, running secedit /refreshpolicy
    > >> machine_policy and user_policy but that didn't help.
    > >>
    > >> What can we do?
    > >>
    > >> Steve
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Policy Windows 2000 Active Directory Windows