Announcement

Collapse
No announcement yet.

issue with my Password policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • issue with my Password policy

    I implemented my password policy.. No one got prompted for the password change. Not on any type of login or otherwise. What setting do i have to change for password to be affected. Also i do not want my Workstations to be affected either. just the user passwords.


    Thanks to all who subscribe.

  • #2
    Re: issue with my Password policy

    And where have you placed the password policy?
    Which OS are you using?
    What have you changed in the GPO?
    When have you changed the GPO?

    With 65 posts I expect that you should know how to ask a question.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: issue with my Password policy

      Password restriction policies to effect domain user accounts have to be added to the root of the domain.

      Go to Computer Configuration,Windows Settings, Account Policies, Password Policy.

      You can set the same in another GPO at other levels but it will only effect local computer user accounts. You can only have 1 domain password policy.

      Just realised Marcel has also replied whilst writing this.

      Comment


      • #4
        Re: issue with my Password policy

        Why didn't you post this question to the thread you created 5 days ago in this forum?
        http://forums.petri.com/showthread.php?t=33029

        \Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: issue with my Password policy

          windows 2003 r2 to windows xp sp3

          I though i had the settings down but something got out of wack.

          I really did not change anything

          I applied the settings at the domain level

          Comment


          • #6
            Re: issue with my Password policy

            It depends what settings you have applied to your policy with regards to days they are valid for and whether they are prompted to change a certain numebr of days prior to it becoming compulsory.

            So the settings are in the Domain Wide GPO that is installed by default?

            Did you give the computers time to refresh the policy.

            Have you run:

            gpupdate /force from the command prompt on one of them?

            What does gpresult /v from the command prompt show on a workstation?

            Perhaps you could copy and paste it here but of course remove anything sensitive first.

            If you don't know hot to copy from the command prompt, you need to click on the top left of the window and that gives you the various options.

            Comment


            • #7
              Re: issue with my Password policy

              I did not use the default domain GPO i created a custom one and did not enforce it. It is a domain wide policy



              C:\Documents and Settings\mlabara>gpresult /v

              Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
              Copyright (C) Microsoft Corp. 1981-2001

              Created On 2/18/2009 at 11:55:36 AM


              RSOP results for MILROSE_PDC\mlabara on MRC399 : Logging Mode
              --------------------------------------------------------------

              OS Type: Microsoft Windows XP Professional
              OS Configuration: Member Workstation
              OS Version: 5.1.2600
              Domain Name: MILROSE_PDC
              Domain Type: Windows 2000
              Site Name: Default-First-Site-Name
              Roaming Profile:
              Local Profile: C:\Documents and Settings\mlabara
              Connected over a slow link?: No


              COMPUTER SETTINGS
              ------------------
              CN=MRC399,CN=Computers,DC=milrose-ny,DC=com
              Last time Group Policy was applied: 2/18/2009 at 11:49:17 AM
              Group Policy was applied from: mrcnydc1.milrose-ny.com
              Group Policy slow link threshold: 500 kbps

              Applied Group Policy Objects
              -----------------------------
              Default Policy

              The following GPOs were not applied because they were filtered out
              -------------------------------------------------------------------
              Local Group Policy
              Filtering: Not Applied (Empty)

              Default Domain Policy
              Filtering: Disabled (Link)

              The computer is a part of the following security groups:
              --------------------------------------------------------
              BUILTIN\Administrators
              Everyone
              BUILTIN\Users
              NT AUTHORITY\NETWORK
              NT AUTHORITY\Authenticated Users
              MRC399$
              Domain Computers
              IT COMPUTERS

              Resultant Set Of Policies for Computer:
              ----------------------------------------

              Software Installations
              ----------------------
              N/A

              Startup Scripts
              ---------------
              N/A

              Shutdown Scripts
              ----------------
              N/A

              Account Policies
              ----------------
              GPO: Default Policy
              Policy: MinimumPasswordAge
              Computer Setting: 1

              GPO: Default Policy
              Policy: PasswordHistorySize
              Computer Setting: 1

              GPO: Default Policy
              Policy: LockoutDuration
              Computer Setting: 15

              GPO: Default Policy
              Policy: ResetLockoutCount
              Computer Setting: 15

              GPO: Default Policy
              Policy: MinimumPasswordLength
              Computer Setting: 5

              GPO: Default Policy
              Policy: LockoutBadCount
              Computer Setting: 5

              GPO: Default Policy
              Policy: MaximumPasswordAge
              Computer Setting: 91

              Audit Policy
              ------------
              GPO: Default Policy
              Policy: AuditDSAccess
              Computer Setting: Failure

              GPO: Default Policy
              Policy: AuditObjectAccess
              Computer Setting: Failure

              User Rights
              -----------
              N/A

              Security Options
              ----------------
              N/A

              Event Log Settings
              ------------------
              N/A

              Restricted Groups
              -----------------
              N/A

              System Services
              ---------------
              N/A

              Registry Settings
              -----------------
              N/A

              File System Settings
              --------------------
              N/A

              Public Key Policies
              -------------------
              N/A

              Administrative Templates
              ------------------------
              GPO: Default Policy
              Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\Standa rdPr
              file
              State: Enabled

              GPO: Default Policy
              Setting: SOFTWARE\Policies\Microsoft\WindowsFirewall\Domain Prof
              le
              State: Enabled


              USER SETTINGS
              --------------
              CN=Michael La Bara,OU=IT Deparment,OU=Milrose Users,DC=milrose-ny,DC=com
              Last time Group Policy was applied: 2/18/2009 at 10:32:01 AM
              Group Policy was applied from: mrcnydc2.milrose-ny.com
              Group Policy slow link threshold: 500 kbps

              Applied Group Policy Objects
              -----------------------------
              Default Policy
              Share LST
              Default Policy
              Mi3 launcher

              The following GPOs were not applied because they were filtered out
              -------------------------------------------------------------------
              Winfirewall
              Filtering: Not Applied (Empty)

              Local Group Policy
              Filtering: Not Applied (Empty)

              Default Domain Policy
              Filtering: Disabled (Link)

              Win31
              Filtering: Disabled (Link)

              The user is a part of the following security groups:
              ----------------------------------------------------
              Domain Users
              Everyone
              Debugger Users
              BUILTIN\Administrators
              BUILTIN\Users
              NT AUTHORITY\INTERACTIVE
              NT AUTHORITY\Authenticated Users
              LOCAL
              Exchange Admins
              Domain Admins
              IT
              TS_Users
              Distribution - Information Technology
              Enterprise Admins
              Distribution-New York City
              Double-Take Admin

              Resultant Set Of Policies for User:
              ------------------------------------

              Software Installations
              ----------------------
              N/A

              Public Key Policies
              -------------------
              N/A

              Administrative Templates
              ------------------------
              GPO: Default Policy
              Setting: Software\Policies\Microsoft\Windows\Control Panel\Desk
              op
              State: Enabled

              GPO: Default Policy
              Setting: Software\Policies\Microsoft\Windows\Control Panel\Desk
              op
              State: Enabled

              Folder Redirection
              ------------------
              N/A

              Internet Explorer Browser User Interface
              ----------------------------------------
              GPO: Default Policy
              Large Animated Bitmap Name: N/A
              Large Custom Logo Bitmap Name: N/A
              Title BarText: N/A
              UserAgent Text: N/A
              Delete existing toolbar buttons: No

              Internet Explorer Connection
              ----------------------------
              HTTP Proxy Server: N/A
              Secure Proxy Server: N/A
              FTP Proxy Server: N/A
              Gopher Proxy Server: N/A
              Socks Proxy Server: N/A
              Auto Config Enable: No
              Enable Proxy: No
              Use same Proxy: No

              HTTP Proxy Server: N/A
              Secure Proxy Server: N/A
              FTP Proxy Server: N/A
              Gopher Proxy Server: N/A
              Socks Proxy Server: N/A
              Auto Config Enable: No
              Enable Proxy: No
              Use same Proxy: No

              Internet Explorer URLs
              ----------------------
              GPO: Default Policy
              Home page URL: N/A
              Search page URL: N/A
              Online support page URL: N/A

              Internet Explorer Security
              --------------------------
              Always Viewable Sites: N/A
              Password Override Enabled: False

              Always Viewable Sites: N/A
              Password Override Enabled: False

              GPO: Default Policy
              Import the current Content Ratings Settings: No
              Import the current Security Zones Settings: Yes
              Import current Authenticode Security Information: No
              Enable trusted publisher lockdown: No

              Internet Explorer Programs
              --------------------------
              GPO: Default Policy
              Import the current Program Settings: No

              C:\Documents and Settings\mlabara>

              Comment


              • #8
                Re: issue with my Password policy

                My first observation is that you have set a minimum password age of 1. 24 hours woud need to have gone by until a password can be changed.

                Also, I would recommend enabling or not filtering out the Default Domain Policy that is installed by default. You ideally need to set the domain password policy on that GPO.

                You also need to apply the password policy to the DCs. At the moment it is applying to the XP machines and will only effect local user accounts.

                Look at the security permissions for the GPO you created and compare it to the Default Domain Policy. You will probably notice that the Default Domain Policy one also applies to DCs. You could add that group to your policy but keep in mind that your DCs will then be locked down by it.

                If I was you, and Microsoft would recommend it, I would enable the Default Domain Policy. Generally, the issue would be due to not setting the password policy there or the DC OU having 'block inheritance' enabled or deny permission set etc.
                Last edited by Virtual; 19th February 2009, 17:51.

                Comment


                • #9
                  Re: issue with my Password policy

                  Originally posted by mlabs View Post
                  I did not use the default domain GPO i created a custom one and did not enforce it. It is a domain wide policy
                  well IIRC you have to change the Default domain policy for domain user password policies.
                  Remove the custom one and change the Default Domain Policy.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: issue with my Password policy

                    Marcell confirms what I have mentioned, so will be the best way to go.

                    Comment


                    • #11
                      Re: issue with my Password policy

                      And... make sure that the GPO is NOT being blocked at the Domain Controllers OU!!!

                      If you configured the password policies especially for the domain user accounts, the policy must applied especially on the DC's.
                      Run a GPResult against the DC's.


                      \Rems


                      Article of interest:
                      the constraints relating to password policies

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment


                      • #12
                        Re: issue with my Password policy

                        Originally posted by Virtual View Post
                        If I was you, and Microsoft would recommend it, I would enable the Default Domain Policy. Generally, the issue would be due to not setting the password policy there or the DC OU having 'block inheritance' enabled or deny permission set etc.
                        [quote=Virtual;149985]
                        You also need to apply the password policy to the DCs. At the moment it is applying to the XP machines and will only effect local user accounts.

                        [quote]



                        Again reinforcing my comments, so you now know the way to go.
                        Last edited by Virtual; 19th February 2009, 20:05.

                        Comment


                        • #13
                          Re: issue with my Password policy

                          Originally posted by Virtual View Post
                          Again reinforcing my comments,
                          Nope, I was just repeating what I previously answered to mlabs
                          => http://forums.petri.com/showthread.p...034#post149034

                          Originally posted by Virtual View Post
                          ..., so you now know the way to go.
                          Oh no, does this mean he start a new thread again.... LOL LOL

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: issue with my Password policy

                            I see.

                            Comment


                            • #15
                              Re: issue with my Password policy

                              Originally posted by Dumber View Post
                              well IIRC you have to change the Default domain policy for domain user password policies.
                              Remove the custom one and change the Default Domain Policy.
                              No, a custom policy applied at domain level will do just as well -- it doesnt have to be in the default domain policy

                              Make sure there is nothing in the default policy that over-rides the custom one though.
                              Tom Jones
                              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                              PhD, MSc, FIAP, MIITT
                              IT Trainer / Consultant
                              Ossian Ltd
                              Scotland

                              ** Remember to give credit where credit is due and leave reputation points where appropriate **

                              Comment

                              Working...
                              X