No announcement yet.

DC Password Complexity Requirements Not Applying

  • Filter
  • Time
  • Show
Clear All
new posts

  • DC Password Complexity Requirements Not Applying

    Hey everyone,

    I'm trying to remove password complexity requirements only for a Domain Controller, not on the Domain. So, in GPMC at this DC I clicked the DC OU and created+linked a new GPO, this is in addition to the Default DC Policy that is by default there. In this GPO I disabled the password complexity requirements and made some other non-password related changes. Then I moved this GPO 1st in the inheretance list of the DC OU (and there are no GPOs that are being enforced that might override this GPO). And then gpupdate /force.

    When I go to Local Security Policies to check, the GPO's all other non-password related changes are taking effect but not the password changes. It's odd that withing the same GPO only some changes are taking effect. What's even odder is that the password policies at Local Security Settings are those of the Default Domain. This can't be !!! This policy is higher in the Inheritance than the Default Domain Policy.

    I read some other posts about there being ONE password policy, but that only applies to domains. In my case, I actually only want to change the password policy for the DC not the Domain.
    As a last resort, I can simply change the password requirements at the Default Domain, but then it would affect the entire Domain (which is not what I want) and later on I won't have a record of changes I've made the server in case I want to bring it back to default state.

    Any insights would be appreciated.

  • #2
    Re: DC Password Complexity Requirements Not Applying

    Unless you are running a 2008 domain, you can only have ONE password policy which applys domain wide (in Server 2008 you can have granular password policies)

    You can get around this by filtering the application of the GPO through security permissions -- since DCs do not have local accounts, this could get "interesting"

    But a big question remains -- why on earth (or any other place of your choice) would you want to REMOVE DCs from password complexity requirements? If anything, I would make them MORE restrictive since a hacker with access to your DCs has access to the whole domain.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: DC Password Complexity Requirements Not Applying

      You can't gain anything by changing the password complexity requirements on a DC from the very fact it's a DC.

      It has no local accounts, certainly has no local administrator account so it wouldn't apply to anything.

      As Ossian has already pointed out, in 2003 you can only have 1 password policy and it has to be applied at the domain level. You can have other GPOs below it in the hierarchical structure but they will not apply.

      Unless you move to 2008 and then you can create PSOs.


      • #4
        Re: DC Password Complexity Requirements Not Applying

        Should have mentioned that it is Server 2008.

        However, after your comments, I realized that it is a stupid idea. I didn't think it through enough; it was late at night when I posted

        Thanks for pointing out the folly of my late night thinking


        • #5
          Re: DC Password Complexity Requirements Not Applying

          We've all been there my friend....always seems like a good idea at the time.

          As you're on 2008 though you can create fine grained password policies.

          See here for general info:


          • #6
            Re: DC Password Complexity Requirements Not Applying

            Originally posted by Hanley View Post
            Cool thanks At least I'll learn something.