Password Policy seems to be ignored for new Domain on Windows Server 2008 R2
windows 2008 introduced the Password Settings Objects (PSO) for more granular control of the password policy. You might have case of conflicting PSO.
http://technet.microsoft.com/en-us/library/cc770848(v=ws.10).aspx
Related videos on Youtube
Earl Sven
Updated on September 18, 2022Comments
-
Earl Sven over 1 year
I have set up a new Windows Server 2008 R2 domain controller, and have attempted to configure the Default Domain Policy to permit all types of passwords. When I want to create a new user (just a normal user) in the Domain Users and Computers application, I am prevented from doing so because of password complexity/length reasons.
The password policy options configured in the Default Domain Policy are not defined in the Default Domain Controllers Policy, but having run the Group Policy Modelling Wizard these settings do not appear to be set for the Domain Controllers OU, should they not be inherited from the Default Domain policy? Additionally, if I link the Default Domain policy to the Domain Controllers OU, the Group Policy Modelling Wizard indicates the expected values for complexity etc, but I still cannot create a new user with my desired password. The domain is running at the Windows Server 2008 R2 functional level. Any thoughts?
Thanks!
Update: Here is the "Account policy/Password policy" Section from the GPM Wizard:
Policy Value Winning GPO Enforce password history 0 Passwords Remembered Default Domain Policy Maximum password age 0 days Default Domain Policy Minimum password age 0 days Default Domain Policy Minimum password length 0 characters Default Domain Policy Passwords must meet complexity Disabled Default Domain Policy
These results were taken from running the GPM Wizard at the Domain Controllers OU. I have typed them out by hand as the system I am working on is standalone, this is why the table is not exactly the wording from the Wizard. Are there any other policies that could override the above? Thanks!
-
keltor about 12 yearsPlease provide the results section relavent to passwords from the modeling wizard. Anything else would be speculation.
-
-
Earl Sven about 12 yearsThanks for your answer, I've relaxed all of the policies on passwords on the Default Domain Policy object, if I run the Group Policy Modelling Wizard on the Domain Controllers OU this indicates the policy to be as expected, however I still cannot create new users in the Users object in AD Users and Computers.
-
Earl Sven about 12 yearsThanks for your answer, the settings are as expected at both the Domain level and the Domain Controllers level. Is there a way I can view the password requirements for new users?
-
Earl Sven about 12 yearsThanks for your answer, but as I haven't been able to create new users I cannot check if there is a custom PSO for that user. I checked the administrator account (the only account I have on the domain) and there is no PSO defined, but I cannot even change the password for this account.
-
KAPes about 12 yearslooking at policy is one thing, but they are set on Domain object so you can verify them there.
-
KAPes about 12 yearslooking at policy is one thing, but they are set on Domain object so you can verify them there.
dsquery.exe * -scope base -attr minpwdage maxpwdage minpwdlength pwdHistoryLength
should list actual values for password history, min/max length etc there. Are they matching with what is configured in Default domain policy? if not do you have "block policy inheritance" enabled on "Domain Controllers" OU?