Announcement

Collapse
No announcement yet.

Password Policy not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Policy not working

    I have created a GPO on a 2008 server to enforce password complexity. I have linked this GPO at the domain level. However the password policy is not being enforced correctly. I have tested on 2 client PCs and gotten 2 very different results. On one, which is a windows 7 PC, the policy was not enforced by forcing user to change password at logon. It was enforced, however, when I changed password using ctr alt del. On the 2nd PC which is a vista client, it doesn't seem to enforce the policy at all. Any ideas?

  • #2
    Re: Password Policy not working

    Password policy is located in the Computer configuration section of a GPO. Therefore, it applies to computers not users. If you linked it to the Domain Object level it will apply to all computers that are members of the domain, which is good. However, make sure that you do not have another policy linked at the Domain Controllers OU level. If you do, the one linked at the Domain Controllers OU level will have precedence over the one linked at the domain object level unless the one at the domain object level is set to "Enforced". Obviously domain users are affected by this policy since its applied to the Domain Controllers. The policy applied to the local computers, affects the local accounts stored on those systems.

    With that said, the policy should apply exactly the same regardless if the domain user logs on the Windows 7 or Vista domain member. In regards to your comment, "the policy was not enforced by forcing a user to change password at logon", there is nothing in the policy to force a user to change the password at logon. That behavior is managed by enabling the "User Must Change Password at Next Logon" attribute in the properties of the user, Account tab.
    JM @ IT Training & Consulting
    http://www.itgeared.com

    Comment


    • #3
      Re: Password Policy not working

      I don't think the above is correct.
      In Server 2008, password policy STILL only applies at local or domain level. You do have PSOs which can override it for users and groups but no change in behaviour throughout AD -- password policies at OU level do not get applied
      More details here: http://technet.microsoft.com/en-us/m...ritywatch.aspx
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Password Policy not working

        Hello Ossian, not sure if you were referring to my posting. I may not have expressed myself in a manner that was well understood. let me attempt to summarize it again.

        If you take a look at a GPO, the Password Policies are stored in the computer configuraiton section. Therefore, the target of the policies only applies only to computers. When a policy is linked at the Domain or Domain Controllers OU, the target in both cases are Domain Controllers. Domain Controllers have "local" accounts (loosely speaking) which are domain users. Policy applies to these users. If an admin chooses to apply at the domain level only, he/she will notice that the local accounts on the computers in the domain are also affected. That is because a computer is within the scope of the gpo applied at the domain level.

        If a GPO with a password policy setting was linked at the OU level, it would apply to the computers and affect the local users stored on those target systems. It would not apply to the users located in the OUs.

        In 2008, Fine Grained Password POlicies (FGGP) are used to target users and groups. They cannot be applied to OUs either.

        I assure you that this information that I am posting is correct. I appologize if I am not being clear in the way that I am explaining it.
        JM @ IT Training & Consulting
        http://www.itgeared.com

        Comment


        • #5
          Re: Password Policy not working

          @[JM]
          Yes I was referring to your post.
          Unless you have a reference that specifically says otherwise, password/lockout policies applied to the domain controllers OU have no effect -- only those applied to the entire domain will be applied. This is standard behavior since AD was first launched and has not changed in 2008.
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Password Policy not working

            I stand corrected. Thank you.

            Yes, The password policy must be configured within a GPO and applied at the domain object. Account policies that are defined in the default domain controller's organizational unit have no effect.

            This should be obvious.... The DCs share domain accounts. If someone were to move a DC out of the Domain Controllers container and account policies were pulled from a GPO linked at the DC container level, that would be problematic. The policy must be linked at the domain level to ensure that all DCs are covered by the policy.

            Thanks again and I appologize for any confusion that my posting may have created.
            JM @ IT Training & Consulting
            http://www.itgeared.com

            Comment


            • #7
              Re: Password Policy not working

              Originally posted by [JM] View Post
              This should be obvious.... The DCs share domain accounts. If someone were to move a DC out of the Domain Controllers container and account policies were pulled from a GPO linked at the DC container level, that would be problematic. The policy must be linked at the domain level to ensure that all DCs are covered by the policy.
              Actually just one particular dc is enforcing password policies, the values will then be replicated to other dcs.


              Originally posted by [JM] View Post
              I appologize for any confusion that my posting may have created.
              I 'm confused about this for a longer time not because of your post. An AD teacher I had started my doubt years ago.

              Security policy settings that are specific to domain controllers, but not to all users, groups, and computers in the domain, can be set at the Domain Controllers OU level. In that perspective I was told by an AD teachter that you in fact can consider to configure password policies at the default domain controller policy object.
              I have never tested it myself!!

              So far,, I found articles by Microsoft stated it is only required to set the account policy at the 'Default domain policy'-object in special occasions. Besides that, Microsoft "recommends" that password policies are set always at domain level.

              I did found on other sites (not microsoft) where explicitly is said that it is "required" that password policies are set always at domain level. Because, as stated there, "the SCE service running on the PDCe applies this policy by reading the values in the highest GPO linked to the domain".

              Since that time I don't know what is true. But Microsoft does recommends domain level, for multiple reasons. So better stick to that.

              Facts,
              • Account policy is propagated via the Domain controller holding the PDC emulator role, by writing the values to the root of the Domain Naming Context (DC=domain,DC=tld), typically referred as the "NC head".
                Each domain controller in the domain replicates a copy of the domain NC. The rest of the DCs in the domain read the info from the domain NC head (and not from GPO) and apply it. (use ADSIEdit to check the policy is applied)
              • To ensure that domain-controller-specific Group Policy settings are consistently applied to all domain controllers in the domain, keep all domain controller computer accounts in one Domain Controllers OU (preferable the default Domain Controllers OU).
              • Microsoft recomments avoid modifying the built-in GPOs. Create new incremental GPO instead.
                However to accommodate APIs from previous versions of the operating system that make changes directly to default GPOs, it is required that changes to the following security policy settings must be made directly in the Default Domain Policy GPO or in the Default Domain Controllers Policy GPO:

                Default Domain Security Policy Settings:
                - Password Policy
                - Domain Account Lockout Policy
                - Domain Kerberos Policy

                Default Domain Controller Security Policy Settings:
                - User Rights Assignment Policy
                - Audit Policy

              • GPO links set to "enforce" (no-override) cannot be blocked. Microsoft recommends to use the "enforce" and "block inheritance" options sparingly.

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: Password Policy not working

                Hello Rems,

                I really appreicate your feedback and explanation. It appears that this thread may be of great value after all to others out there in the community. The topic of password policy is not usually defined at this level of detail (at least I have not found this level of detail posted any where on the internet). I have also experienced that not many have a complete grasp on how Account Policies are applied to domain users. I can say that I too have been in doubt for many years, but attempted to develop my own reasoning and theory based on logic, information that I have found, and through the use of lab time.

                Thanks again.
                JM @ IT Training & Consulting
                http://www.itgeared.com

                Comment


                • #9
                  Re: Password Policy not working

                  Originally posted by Rems View Post
                  I 'm confused about this for a longer time not because of your post. An AD teacher I had started my doubt years ago.

                  <...> I never have tested it myself!!

                  I have found the answer on the microsoft site,
                  Originally posted by [url=http://support.microsoft.com/kb/255550]http://support.microsoft.com/kb/255550[/url]

                  Because domain controllers do not have local accounts as servers and workstations do, account policies that are defined in the default domain controller's organizational unit have no effect.

                  But I already had discovered it myself though, before I had found the article. It is quit easy to test actually.
                  1. Create two new Group policy objects for the test.
                    - link one (the 'incremental Domain Policy') to the root of the Domain
                    - link the other (the 'incremental Domain Controller Policy') to the domain controllers OU

                    Define 'Enforce password history' in the 'Default Domain Policy' set to lets say 24
                    Define 'Enforce password history' in the 'incremental Domain Policy' set to 23
                    Define 'Enforce password history' in the 'incr Domain Controller Policy' set to 22

                    Run GPUpdate on the PDC-e domain controller
                    (then wait for a couple of seconds, directory updates within a site occur automatically on the basis of change notification.)

                    Start Active Directory Explorer browse to the root of DC=domain,DC=local and check the value of the 'pwdHistoryLength' attribute.

                  2. Now change the 'gpo link order' in the root of the domain. Place the "incremental Domain Policy" at the top of the list and the 'Default Domain Policy" as last.

                    Run GPUpdate on the PDC-e

                    Then again check the value of the 'pwdHistoryLength' attribute

                  3. Finally,
                    Block inheritance on the domain controllers OU. After that is done you delete the 'incremental Domain Policy' .

                    For the last time run GPUpdate on the PDC-e and to the check.

                  Conclusion:
                  • Domain User account policies must be configured in a GPO that is linked to the root of the domain. (as Tom already has stated in a few post above, challenging us to prove the opposite ).
                  • The Domain controllers OU should not block domain policies
                  .


                  troubleshooting,
                  When domain password polices does not apply to the domain users,
                  1. First check whether or not the domain controlers OU is blocking inheritance.
                  2. then, check if the PDC-e is still present in the domain. Run GPUpdate /force on that dc.
                  3. then you can check attributes in the NC head (using an Active Directory viewer/editor).
                  4. finally check if there are replication problems.



                  btw,
                  • Here you can find Microsoft's Password Policy Setting Recommendations for the domain
                  • Windows Server 2008 introduces Fine-Grained Password Policies that allow for more precise control of account policy settings.
                  • If you don't want the domain password polices being inherited to local SAM database on portable client computers, you could block inheritance on the OU or, create and link a 'client device Password Policy' GPO to over rule the domain password policies at client computer OU level.


                  \Rems

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Password Policy not working

                    Just a note about fine-grained password policies (PSOs) -- they are a b***er to create -- the only tool is ADSIEdit and times have to be put in in wierd formats.
                    Then they can only be applied to users or groups, not to OUs

                    After some experimentation, I can confidently say they are only suitable for occasional variations on a domain level policy -- for larger scale applications of different password policies, a different domain is still the best option. Pity really, because there seems no logical reason not to be able to apply different policies at OU or site levels
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment

                    Working...
                    X