Password Policy not applying to the domain

**PreviousPoster** · 10-16-2007, 09:53 PM

Hello,

We edited the default domain policy to include a password policy (e.g., minimum 8 characters required) and then enforced it.

We then applied this default domain policy to domain users.

Finally, we replicated our domain controllers and ensured it all had the same password policy and they all did.

However, when we logged in as a domain user and proceeded to change the password to just 4 characters only, it allowed the password to be changed without prompting an error message stating a minimum of eight characters required.

We have the exact same password policy set up in our test environment and it got enforced there, but we don't know why the password policy is not being enforced in our production environment.

Can anyone please provide us with help on how we can resolve the above issue?

**PreviousPoster** · 10-17-2007, 02:21 AM

Could it be, that the policy you edited (maybe "Default Domain Policy" is NOT the GPO with the highest priority in the domain (the one in the top of the list)...?

The Domain Account policies are assigned from the policy in the domain with the highest priority - not necessarily the one called "Default Domain Policy"... Could this be the issue you have?

**JerryC** · 10-17-2007, 09:37 AM

And it shouldn't require the Enforced setting to be mandatory for domain accounts. Also, as a domain 'root level' GPO setting, it'll also apply to local accounts on your devices (though at lower OU levels, other GPOs could override those Account Policy settings..though again..only for local accounts).

**gpoguy** · 10-17-2007, 09:43 AM

Also, make sure that you don't have Block Inheritance set on your Domain Controllers OU.
Additionally, you may also want to check the value of the password policy as it appears in AD, since this is the value that is used by users authenticating to the domain. You can see this by using a tool like ADSIEdit to view the properties on the domain "NC Head" on the PDCe DC. That's the domain object dc=company,dc=com. The attribute minPwdLength stores the current password length.

**PreviousPoster** · 10-17-2007, 02:30 PM

We checked all that and it is still not taking. We even went as far as adding the password policy to all GPO's, but still have no success. We verified that everything else in the policies are working and ran gpresult and saw that were getting applied.

**gpoguy** · 10-17-2007, 05:56 PM

so, you checked the Domain NC Head and it still shows the old length?

**PreviousPoster** · 10-17-2007, 06:02 PM

Where is the Domain NC Head located?

**gpoguy** · 10-17-2007, 06:07 PM

See my description above. Its the properties on the domain AD object that you can see using ADSIEdit.

**PreviousPoster** · 10-24-2007, 12:42 PM

Originally Posted by gpoguy

See my description above. Its the properties on the domain AD object that you can see using ADSIEdit.

We've viewed the values in ADSIEdit and they are 0's. Not the values we set in group policy.

Does anyone know what "dsCore Propgation Data attribute does"? It has an old date value from year ago.

Thread: Password Policy not applying to the domain

LinkBack

Thread Tools

Search Thread

Display

Posting Permissions