Sign in with
Sign up | Sign in
Your question

Password policy settings not applied to clients

Tags:
  • Policy
  • Windows 2000
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
June 20, 2005 9:08:00 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have a Windows 2000 Native Active Directory with 3 controllers. We
changed the Password Policy in the "Default Domain Policy" to the following
settings:

Enforce password history = 10
MAx password age = 180
Min password age = 0
Min password length = 7
Passwords must meet complexity requirements = Enabled

However when a user changes their password, the criteria above are not
used. We tried to set a logon banner about the new password requirements
and that setting replicated to the desktops and are displayed when the user
presses Ctrl + Alt +Del.

I logged into each server and they all have the settings in the default
domain policy, so that replicated fine. I ran dcdiag and all tests passed
for all servers. GPOTool also lists all six policies as being OK, with a
mystery 7th policy that does not appear in the policy list and was last
modified in 2004 (can't figure out how to delete it, see my other post)

We made these changes this morning and they still haven't taken. We've
tried powering off various PCs, running secedit /refreshpolicy
machine_policy and user_policy but that didn't help.

What can we do?

Steve

More about : password policy settings applied clients

Anonymous
June 22, 2005 9:04:38 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Steve,

Pls check Block Policy Inheritance first.

Changes Are Not Applied When You Change the Password Policy
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

br,
Denis

"Steve Stormont" <s.stormont@verizon.net> wrote in message
news:uyMalwddFHA.3032@TK2MSFTNGP10.phx.gbl...
> We have a Windows 2000 Native Active Directory with 3 controllers. We
> changed the Password Policy in the "Default Domain Policy" to the
following
> settings:
>
> Enforce password history = 10
> MAx password age = 180
> Min password age = 0
> Min password length = 7
> Passwords must meet complexity requirements = Enabled
>
> However when a user changes their password, the criteria above are not
> used. We tried to set a logon banner about the new password requirements
> and that setting replicated to the desktops and are displayed when the
user
> presses Ctrl + Alt +Del.
>
> I logged into each server and they all have the settings in the
default
> domain policy, so that replicated fine. I ran dcdiag and all tests passed
> for all servers. GPOTool also lists all six policies as being OK, with a
> mystery 7th policy that does not appear in the policy list and was last
> modified in 2004 (can't figure out how to delete it, see my other post)
>
> We made these changes this morning and they still haven't taken.
We've
> tried powering off various PCs, running secedit /refreshpolicy
> machine_policy and user_policy but that didn't help.
>
> What can we do?
>
> Steve
>
>
Anonymous
June 22, 2005 9:04:39 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That option was not checked anywhere. I was finally able to get the new
password settings out by doing one of the following (but I'm not sure which)

1) On one of the domain controllers, I ran :

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

I don't think that was what fixed it as the policy settings had
propagated to all of the other Domain Controllers, they just weren't getting
to the clients. Not sure why the above command would have fixed it.

2) Installed Group Policy Management Console on a Windows XP computer. I
drilled down to domains -> omni.imsweb.com -> Group Policy Objects and I see
7 objects, one of them is "Default Domain Controllers Policy". When I click
on that a message comes up saying "The system cannot find the file
specified.". I then right-clicked on "Default Domain Controllers Policy"
and chose the disabled option.

At some point after doing one of those things, the password policy made it
to the client. Of course, I didn't wait a large amount of time between
"fixes", so I don't know which one actually fixed the problem.

I have since "Enabled" the missing "Default Domain Controllers Policy" and
after doing so, removed a logon banner which I had set and that change made
it out to the clients with no problem.

Steve

"Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
message news:o Gun8mwdFHA.3012@tk2msftngp13.phx.gbl...
> Hi Steve,
>
> Pls check Block Policy Inheritance first.
>
> Changes Are Not Applied When You Change the Password Policy
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
>
> br,
> Denis
>
> "Steve Stormont" <s.stormont@verizon.net> wrote in message
> news:uyMalwddFHA.3032@TK2MSFTNGP10.phx.gbl...
>> We have a Windows 2000 Native Active Directory with 3 controllers.
>> We
>> changed the Password Policy in the "Default Domain Policy" to the
> following
>> settings:
>>
>> Enforce password history = 10
>> MAx password age = 180
>> Min password age = 0
>> Min password length = 7
>> Passwords must meet complexity requirements = Enabled
>>
>> However when a user changes their password, the criteria above are
>> not
>> used. We tried to set a logon banner about the new password requirements
>> and that setting replicated to the desktops and are displayed when the
> user
>> presses Ctrl + Alt +Del.
>>
>> I logged into each server and they all have the settings in the
> default
>> domain policy, so that replicated fine. I ran dcdiag and all tests
>> passed
>> for all servers. GPOTool also lists all six policies as being OK, with a
>> mystery 7th policy that does not appear in the policy list and was last
>> modified in 2004 (can't figure out how to delete it, see my other post)
>>
>> We made these changes this morning and they still haven't taken.
> We've
>> tried powering off various PCs, running secedit /refreshpolicy
>> machine_policy and user_policy but that didn't help.
>>
>> What can we do?
>>
>> Steve
>>
>>
>
>
Anonymous
June 23, 2005 3:11:16 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Steve,

1) This just refreshes the machine policy on your DC. That's nothing to do
with your clients.

2) Yes, you have missing DDCP. On your other post, I suggested you to reset
your missing policy. This is probably the problem point.

br,
Denis

"Lisa Stormont" <LStormont@cavtel.net> wrote in message
news:%23yOosPydFHA.2288@TK2MSFTNGP14.phx.gbl...
> That option was not checked anywhere. I was finally able to get the new
> password settings out by doing one of the following (but I'm not sure
which)
>
> 1) On one of the domain controllers, I ran :
>
> SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
>
> I don't think that was what fixed it as the policy settings had
> propagated to all of the other Domain Controllers, they just weren't
getting
> to the clients. Not sure why the above command would have fixed it.
>
> 2) Installed Group Policy Management Console on a Windows XP computer. I
> drilled down to domains -> omni.imsweb.com -> Group Policy Objects and I
see
> 7 objects, one of them is "Default Domain Controllers Policy". When I
click
> on that a message comes up saying "The system cannot find the file
> specified.". I then right-clicked on "Default Domain Controllers Policy"
> and chose the disabled option.
>
> At some point after doing one of those things, the password policy made
it
> to the client. Of course, I didn't wait a large amount of time between
> "fixes", so I don't know which one actually fixed the problem.
>
> I have since "Enabled" the missing "Default Domain Controllers Policy"
and
> after doing so, removed a logon banner which I had set and that change
made
> it out to the clients with no problem.
>
> Steve
>
> "Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
> message news:o Gun8mwdFHA.3012@tk2msftngp13.phx.gbl...
> > Hi Steve,
> >
> > Pls check Block Policy Inheritance first.
> >
> > Changes Are Not Applied When You Change the Password Policy
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
> >
> > br,
> > Denis
> >
> > "Steve Stormont" <s.stormont@verizon.net> wrote in message
> > news:uyMalwddFHA.3032@TK2MSFTNGP10.phx.gbl...
> >> We have a Windows 2000 Native Active Directory with 3 controllers.
> >> We
> >> changed the Password Policy in the "Default Domain Policy" to the
> > following
> >> settings:
> >>
> >> Enforce password history = 10
> >> MAx password age = 180
> >> Min password age = 0
> >> Min password length = 7
> >> Passwords must meet complexity requirements = Enabled
> >>
> >> However when a user changes their password, the criteria above are
> >> not
> >> used. We tried to set a logon banner about the new password
requirements
> >> and that setting replicated to the desktops and are displayed when the
> > user
> >> presses Ctrl + Alt +Del.
> >>
> >> I logged into each server and they all have the settings in the
> > default
> >> domain policy, so that replicated fine. I ran dcdiag and all tests
> >> passed
> >> for all servers. GPOTool also lists all six policies as being OK, with
a
> >> mystery 7th policy that does not appear in the policy list and was last
> >> modified in 2004 (can't figure out how to delete it, see my other post)
> >>
> >> We made these changes this morning and they still haven't taken.
> > We've
> >> tried powering off various PCs, running secedit /refreshpolicy
> >> machine_policy and user_policy but that didn't help.
> >>
> >> What can we do?
> >>
> >> Steve
> >>
> >>
> >
> >
>
>
!