 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows 2000 / Group Policy / July 2008Do my account policies really work ?
Hello We have set the beginning of the year that the users have to change their password and meet password complexity. Here are the settings: Password history : 24 passwords remembered Minimum password age: 0 Maximum password age: 120 Password must meet complexity is enabled The option "Password never expires" is NOT set on user objects. The policy has been limked to the top of the domain. I have just discovered that one user has never changed its password since January 4th.... it's a lot more than 120 days... so why ? I asked the user who stated that the system has never asked for a password change... How can I check if the policy really works and what could affect that it doesn't work fine, knowing that the complexity seems to be asked when changing its password ? regards Nicolas Howdie! Nicolas Heyer schrieb: > Password history : 24 passwords remembered > Minimum password age: 0 Setting it to 0 is a bad idea since people could change it just 24 times in a row and then re-enter their previous password. > The policy has been limked to the top of the domain. How's the linking order? Is the Password Policy the one linked at the "top" of all policies when you look at the list at the domain level? Or is at least the one policy that's linked highest when it comes to Password settings? cheers, Florian  SignatureMicrosoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Use a newsreader! http://www.frickelsoft.net/news.html there are 6 group policies linked to the domain level, the account policy is set as 5th policy, but the other policies have, I think, nothing to do with account policy. Should I change the order and set the policy to be enforced ? Regards Nicolas P.S. : yes, I know that 0 is not the best setting for minimum password age... we will change it, but I also think that a user will probably try 3 or 5 times but almost never 24 times, or he really has nothing else to do at work... but you're right, it's a lack of security... > Howdie! > [quoted text clipped - 15 lines] > > Florian Quoted from http://technet2.microsoft.com/windowsserver/en/library/353f7ad9-b53d-41d0-9867-1 99f6595a01b1033.mspx?mfr=true "For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller." Hope that helps if it wasn't answered already. -dweez >there are 6 group policies linked to the domain level, the account policy is >set as 5th policy, but the other policies have, I think, nothing to do with [quoted text clipped - 27 lines] >> >> Florian Nicolas, > there are 6 group policies linked to the domain level, the account policy is > set as 5th policy, but the other policies have, I think, nothing to do with > account policy. Should I change the order and set the policy to be enforced ? You can check that easily using the GPMC and the settings tab for those policies. Only one Password Policy is applied - it's the "upper most" Password Policy the system can find at the domain root. So moving your Default Domain Policy to the top of the list should do the trick. But don't enforce it. If the policy still doesn't apply-- is inheritance blocked at the Domain Controllers-OU? cheers, Florian SignatureMicrosoft MVP - Group Policy eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.