Link to home
Start Free TrialLog in
Avatar of graemeboro
graemeboro

asked on

Windows 2000 Domain Password Policy

We currently have a Windows 2000 domain which has a domain policy for passwords to be a mnimum of 6 characters long.  Following an audit 110 of those accounts still allow zero length passwords to be applied.  All other accounts enforce the policy properly.  These accounts do not appear to have anything in common ie they are all from different OUs and some are admins non admins etc.  I have double checked the policies and I am now at a loss as to why these accounts are not having this policy enforced.  There is no local policy on there accounts.

The only thing the users have in common is that they have been on our system for a long length of time.  We also run Novell NDS however the rest of our users do not have this problem and are also members of NDS.  

Any help would be gratefully recived.



Avatar of Thomas Lee
Thomas Lee
Flag of United Kingdom of Great Britain and Northern Ireland image

This could have happened because the passwrds were set before the policy.

Do you force password changes??

To resolve the problem you could set those accounts to change password at next logon.
Avatar of graemeboro
graemeboro

ASKER

To tfi,

Thank you for your quick response.  I have investiagted this and these users have changed passwords previousley, unfortunatley however this did not resolve the problem.  It appears that the set policy is not filtering to the users.

Thanks again
graemeboro
The question was whether the passwords were changed after the policy went into effect. I guess from your answer, the password changes occured after the policiy was changed.

The only explanation I can see is that you are in a mixed mode 2k forest, and for some reason the clients authenticated against an NT4 DC. So when they changed their password, the policy was not effective.

I've just tested this here (using XP and 2003 Serverr) and password changes work as expected.
Try downloading the new Group Policy Management Console from the MS Download site.  It lets you look at an OU and tell you what specific Policies are being applied.  Helps see inheritance or deny issues.  It was built for 2003 but is backwards compatible to 2000.  It can drill down and help you troubleshoot the specific issue.

Also has some good query capabilities for things like Account Lockouts and such.

Steve
The GPMC is at:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

But I don't think this will help as there is no correlation between the users who do not have the complex passwords and any domain or OU. Unless the poster is not telling us everything.

What he can try is to load GPMC (It ONLY runs on Windows 2003 or XP - but can work against 2k domains) and use the Group Policy Modelling. Model one of his users  who do have the complex passwords logging into their system then compare that to a 'normal' user. It MIGHT show something.

In thinking about it, I am curious as to how the poster knows the passwords - these are not stored in reversable text (by default) - so how does he know that they are??


Thomas
have you checked in the Properties->Security in the Group Policy if these accounts with blank passwords are with the "Apply Group Policy" checked?
To marcioft,

Thanks for your comment,  I have looked at both the properties of domain policy and of the individual users and I cannot see the option to Apply Group Policy.  Could you give me more specifc info?

Thanx
Graeme
If I recall is in "Active Directory Users and Computers->Domain", go to the GPO that has the settings, click in "Properties->Security" and there is a list with groups, users, computers, etc and the permission of each. There is one permission called "Apply Group Policy" that must be checked.
I dont know if all the directions are 100% correct, I am not with the "Active Directory Users and Computers" here in my computer.
To mrcioft,

Thank you for that this has partly worked.  Of these 110 users, if I change thier passwords to less that 6 chars this now stops me.  I still can however set the passwords to zero length?  If I try this with other users the policy blocks me.  I am now completley out of ideas
graemeboro,
what do you mean by "I still can however set the passwords to zero length?". I didnt understand, what is this exactly procedure you´re talking about? You told that you cant change their passwords to less than six right? So, what do you mean by "I still can however set the passwords to zero length?"?
Exactly that, If I try and set the users password to a length of 1,2,3,4 or 5 this is not allowed because the system states that the minumum password is 6 characters.  But for some reason If I change the password and set it to nothing, it lets me do it with these users.  It is not applying the policy in these circumstances.  This is only happening to the 110 users described when I first posted the question.
How many Group Policies do you have applied to the domain? Did you check the permissions in all of them?
We have one group policy applied to the domain and I have checked the permission on this and also that it is filtering to the organisational units.
Avatar of Pete Long
Windows Domain Group Policy

Configuring Account Policies in Active Directory

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q255/5/50.asp&NoWebContent=1


Troubleshooting

1. Ensure You have created a Domain Security policy, and not a local policy on a domain controller.

2. Ensure The group policy is applied  either to the Root of AD or the OU where the users/machines reside.

3. Right click either the policy or the level at which the policy was applied and select the security tab. Ensure "Apply Group Policy" is ticked.

4. Press Start > Run > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

5. Press Start > Run > SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

6. Are Your Users seeing these Error Messages....

   Your account has been disabled. Please see your system administrator.

   OR

   Unable to log you on because your account has been locked out, please contact your    administrator.

   If so see http://support.microsoft.com/default.aspx?scid=kb;en-us;279227

7. Account Lockout Problems see http://support.microsoft.com/default.aspx?scid=kb;en-us;274372

8. Machine Account Lockout Problems see http://support.microsoft.com/default.aspx?scid=kb;en-us;260930
http://support.microsoft.com/default.aspx?scid=kb;en-us;817701

9. Policy not being enforced Try http://support.microsoft.com/default.aspx?scid=kb;en-us;254174

10. Account Locking for no reason see
http://support.microsoft.com/default.aspx?scid=kb;en-us;328862

11. Policy not applying to users try
http://support.microsoft.com/default.aspx?scid=kb;EN-US;263693

12. You are only allowed one Domain Security Policy! see
http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

13. Still no Joy! Try the official Microsoft Troubleshooting guide http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp
Pete,

did any of this sort the 0 length password issues in our audit?  I know Ive left but still interested in how all this works
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ThanQ