Announcement

Collapse
No announcement yet.

Remove password complexity from test domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove password complexity from test domain

    Hi,

    I've set up a test domain inside a vmware server so I can play around with active directory in a safe environment. Since there is nothing real on these vms, I thought I would disable password complexity requirements for convenience. For some reason I'm not having any luck at all.

    Of course, this is a dumb idea to do in a real production system, but I set up this virtual network to play around with AD, so I might as well get it to work just for the hell of it. My DC is Server Core 2008 R2 and the client is Win7.

    Here's what I did.

    I set up a new GPO called MyPolicyChanges and linked it to the default domain policy. I then made an entry in Windows Settings/Security Settings/Account Policies and set Password Must Meet Complexity Requirements to Disabled.

    On the domain controller, I ran GPUpdate and tried to make a simple password in AD Users and Computers and got an error that the password didn't meet complexity requirements.

    So I go back to Group Policy Management and open up the Group Policy Results node to see if my settings took effect. Under the Summary tab, I can see that my DC did in fact update group policy when I ran GPUpdate, but under Settings I couldn't find my changes under Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies.

    What's the next step for debugging something like this?

  • #2
    Re: Remove password complexity from test domain

    It looks like I sort of found out why this was happening. I had another domain controller which was not running at the time of the prior test. This DC was not server core but a full install of Server 2008 R2, and was the first DC I had created in this test network.

    The changes in Group Policy did propagate onto the first DC but not onto the second (Server Core) DC.

    My impression was that creating a second domain controller would guarantee 100% redundancy, and that I would be totally safe if the first DC failed. Is there more to it than that?

    Comment


    • #3
      Re: Remove password complexity from test domain

      how long did yo uwait for replication ?
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Remove password complexity from test domain

        Group policy objects are not refreshed immediately. On the DC you made the changes on they are almost instant, but to refresh the policy on the other computers you have to:
        a) run "gpupdate" (sometimes twice)
        b) restart the computer. During startup group policy settings are refreshed.
        c) User logon. During logon, setting are refreshed.
        d) Wait 90 minutes +- 30 minutes offset
        http://technet.microsoft.com/en-us/l...40(WS.10).aspx

        That includes any other computers, including other DCs. Of course, if you have a large domain, replication also starts to matter: if I made a change one one side of the domain and the GPO was not yet replicated to the other side, running "gpupdate" will refresh nothing.
        Personally, I find "gpresult" very useful tool for understanding GPO applied to a system. GPMC lets you run Group Policy Result Wizard, it shows both applied objects and settings.
        Last edited by venom83; 31st October 2010, 21:55. Reason: typo
        Regards,
        Leonid

        MCSE 2003, MCITP EA, VCP4.

        Comment


        • #5
          Re: Remove password complexity from test domain

          It depends which policies that you are pushing down, not for all you need to do force restart

          Actually you run the following command to check what is applied and what is not.
          GPRESULT
          GPRESULT /USER targetusername /V
          GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
          GPRESULT /S system /U username /P password /SCOPE USER /V

          Gives you output in console prompt

          and it's better choose pdc emulator role to make gp related changes as this server role is responsible for sending out update.
          Thanks & Regards
          v-2nas

          MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
          Sr. Wintel Eng. (Investment Bank)
          Independent IT Consultant and Architect
          Blog: http://www.exchadtech.blogspot.com

          Show your appreciation for my help by giving reputation points

          Comment


          • #6
            Re: Remove password complexity from test domain

            I figured out what I was doing wrong, which had to do with FSMO roles in Active Directory. I was under the impression that one DC could take up the slack if the main DC was out, but I didn't realize that group policy could not be applied if the PDC Emulator was down.

            I fired up the other DC and the group policy applied and everything was fine.

            I sure miss the days of NT when life was simple and all you had was a PDC and BDCs. Active Directory sure is a complex, unruly beast by comparison. But all is well that ends well, as they say, and everything seems to be under control now.

            Comment


            • #7
              Re: Remove password complexity from test domain

              Good to hear that it worked.
              Thanks & Regards
              v-2nas

              MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
              Sr. Wintel Eng. (Investment Bank)
              Independent IT Consultant and Architect
              Blog: http://www.exchadtech.blogspot.com

              Show your appreciation for my help by giving reputation points

              Comment

              Working...
              X