No announcement yet.

GPO messed up and more...

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO messed up and more...

    First of all, since I am new, I want to salute all the members of this forum.
    I have a difficult problem...
    I run a Win SBS 2003 which is mainly used as an exchange server and web server.
    In our network we have another server that runs as a file server.
    All our workstations are joined at the file server's domain and the mail server domain is empty. It contains only the SBS mail and web server which is isolated - not joined at the file server domain so it is domain controller in his own domain and without the other workstation joined to his domain.
    I have created AD accounts for all the users in our organization for email accounts on the mail server and all of them conects with the mail server through outlook client.
    All our network connects with the exterior through a router.
    The first problem is that I played with the default domain controller policies and also domain policies on the mail server to enforce passwords on our mail accounts.
    I allowed users to change passwords at the next logon and I discovered that they can't change their passwords. the outlook client told them to change the password because the passowrd expired but when they enter a new password the mesage is that they cannot change the password and they should contact the administrator...
    Well, i tried to reset their password through AD users and computers and surprise: i can't change their password because password policies are not O.K.
    And all this because I played with the default domain controller policies and domain policies with the account lockup policies and password policies on both default and domain policies.
    I tried to put all to default but nothing: i still can' reset users passwords now because either password size is not corect and i used a 14 characters password, either minimal password age or password complexity are not o.k. even if i put them like they were before (I think) when I was able to reset their passwords without problems

    How can i fix this?

  • #2
    Re: GPO messed up and more...

    Did you document what the settings were prior to changing them? Can you guarantee 100% that you've changed configuration settings back to how they were prior to being changed?

    To me it sounds like several changes have been made which will add to the complexity of the problem.

    I see a few ways to attack this problem:

    1. Outline all of the default domain controller policies and all of the default domain policies that you changed so that we have a baseline of what needs to be changed back.

    2. Troubleshoot the symptoms one at a time by changing default domain controller and default domain policies such that we think it will address the problem specifically.

    3. Use Microsoft Security Configuration and Analysis tools and templates to examine the level of security that is on this machine.

    4. Use Microsoft Security Configuration and Analysis tools and templates to apply a less secure security template to this machine. Several default security templates ship with Microsoft operating systems. Since this is a DC, I do not recommend lowering the security of this machine any further than absolutely needs to be, however, if your manager is chewing on you to get this fixed quickly and the end users are irate, this could be a quick band-aid fix to get them up and running again today, knowing that security needs to be systematically tightened back down tomorrow.

    What is the timeframe to get this resolved? This will likely determine what path you must choose and how fast this must be resolved. If you have crippled a production email system this morning and users have been down most of the day already, chances are you may already be in hot water.
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+ - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.


    • #3
      Re: GPO messed up and more...

      thank you.
      So, the events are:
      1. I observed that someone was very stubborn in scanning our ports and tried to logon with administrator account and different passwords.
      2. The admin account was already renamed so that was of no use for this hacker but I was thinking to enforce the security settings on our mailserver.
      i never was so concerned since this server is not connected to our fileserver which is the most important for us at this moment.
      3. our mail accounts are not secure in the way that microsoft recomands.
      4. i entered in the group policy console.
      5.There was 5 GPO I think there, and i modified the two on the bottom: default domain account lockup policies and default domain password policies.
      6. I opened AD users and computers and put all the users account to change password at the next logon.
      7.the first unwanted effect: they couldn't change their password for email in outlook because :"password can't be changed. contact youd administrator"
      8. i said O.K. -i places all at default: the password policies undefined and I tryed to reset users password from the server logged in as admin
      9. the second unwanted effect: i received the message: Password can't be change because does not meet minimum password age, minimum password lenght or the complexity requirements. Even if all was returned to default in the GPO console. So i said ok and i tried to reset a password with all the requirements: still the same result...
      I put again in AD users that they can't change their password and password never expire and now their accounts are working with the old passwords even if this old passwords are some of them very weak but if i try to reset a password again is not possible because "Password can't be change because does not meet minimum password age, minimum password lenght or the complexity requirements"...

      So there are two issues:
      1. why the users can't change their password from outlook???
      Maybe it has something to do with "RequireLogonToChangePassword" seting?
      and when I forced the users the change their password at the next logon they can't change their passwords exactly because of this???
      2. WTF happened because I can't reset password for users even if i met all the password security setting and even more....(Everyting worked well before I was playing with the GPO...)

      Please excuse my writing mistakes if any but i'm very mad....
      Last edited by barbacot; 9th May 2006, 21:48.