Announcement

Collapse
No announcement yet.

creating users error

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • creating users error

    hello everyone

    I tried to create 5 users that will not use password, and i received error :
    "Windows cannot create the object xxxx because: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain."
    I did some steps before I tried to create those users in a new ou for visitors that will use up to 5 accounts in a lobby.
    (the domain gpo is quite restricted with password complexity and stuff)
    step1)I created new ou for "visitors" and inserted the 5 lobby computers in it.
    2)went to group policy > created visitors gpo > block inheritance > selected setup security.inf template for these gpo
    3)did extra restriction to enable only the access to specific internal web site
    4)gpupdate /force --- and even restarted the single DC
    5)went to ADUC and tried to create those users

    THESE IS VERY URGENT FOR ME AND I WILL APPRECIATE ANY SUGGESTION

  • #2
    Re: creating users error

    You havent told us if you are Server 2003 or 2008, but at 2003 and below, password policies are only applicable at the domain level.
    You could find the GPO with the domain password policy and explicitly deny it to the users (using the security tab), after you've created them

    As an option, why not create the users and give them a complex, but understandable password e.g. Pa55word?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: creating users error

      Originally posted by Ossian View Post
      You havent told us if you are Server 2003 or 2008, but at 2003 and below, password policies are only applicable at the domain level.
      You could find the GPO with the domain password policy and explicitly deny it to the users (using the security tab), after you've created them

      As an option, why not create the users and give them a complex, but understandable password e.g. Pa55word?
      thanks for replying

      I am using windows server 2003 domain and the clients are windows xp Professional

      I just tried to do what you told me about the domain gpo>delegation tab> advanced(open security tab) entered one user and tried to reset password with blank password and it wont let me.It still want me to put complex pass .

      I want to create these accounts as guest for people that come and go with very limited access that wont need to enter any password.
      as I see it, the domain gpo is take precedence over the visitors gpo even though the domain gpo is not enforced and the visitors gpo with block inheritance.

      and in general understanding i want to know how to allow specific users in different ou's different password policies

      thank you

      Comment


      • #4
        Re: creating users error

        Tidbit of info here. To the extent of MY knowledge the Password requirements in the Default Domain GPO can NOT be blocked under any circumstances, nor can they be overridden (along with kerberos settings and a couple of others things that are currently not in my head at the moment). Now as stated in my sig below I could be wrong and if I am I definately want to know about it, especially in this case.

        Now about solving your problem. I have no idea because we have never been able to get around that ourselves and would like to. The only way that I know of to do this is to leave those machines off of the domain and set up a local user on the machines for guest or guest user or ipswitchclams or something of the sort. If there is another solution I definately want to know too!
        Two things:
        1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
        2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

        Comment


        • #5
          Re: creating users error

          It can't be done in 2003. There is one password policy per domain and it can't be overridden by any other GPO. Here's a blurb from Microsoft on the subject:

          Understanding How the Windows Operating System Stores Password Policy Configuration Information

          Before you implement password policies in your organization, you need to understand a little about how password policy configuration information is stored in Windows 2000, Windows XP, and Windows Server 2003. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings.
          There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts.
          Active Directory domains use Group Policy objects (GPOs) to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide setting including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU, and contains initial security settings for domain controllers.
          It is a best practice to avoid modifying these built-in GPOs, if you need to apply password policy settings that diverge from the default settings, you should instead create a new GPO and link it to the root container for the domain or to the Domain Controllers OU and assign it a higher priority than the built-in GPO: If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.

          Comment

          Working...
          X