Active Directory Password Policy Problem

Posted by Will on Server Fault See other posts from Server Fault or by Will
Published on 2010-12-29T17:39:58Z Indexed on 2010/12/29 17:56 UTC
Read the original article Hit count: 530

Filed under:

To Clarify: my question is why isn't my password policy applying to people in the domain.

Hey guys, having trouble with our password policy in Active Directory. Sometimes it just helps me to type out what I’m seeing

It appears to not be applying properly across the board. I am new to this environment and AD in general but I think I have a general grasp of what should be going on.

It’s a pretty simple AD setup without too many Group Policies being applied.

It looks something like this

DOMAIN

Default Domain Policy (link enabled)

Password Policy (link enabled and enforce)

Personal OU

Force Password Change (completely empty nothing in this GPO)

IT OU

Lockout Policy (link enabled and enforced)

CS OU

 Lockout Policy

Accouting OU

  Lockout Policy

The password policy and default domain policy both define the same things under Computer Config>Windows seetings> sec settings> Account Policies / Password Policy

Enforce password History : 24 passwords remembered

Maximum Password age : 180 days

Min password age: 14 days

Minimum Password Length: 6 characters

Password must meet complexity requirements: Enabled

Store Passwords using reversible encryption: Disabled

Account Policies / Account Lockout Policy

Account Lockout Duration 10080 Minutes

Account Lockout Threshold: 5 invalid login attempts

Reset Account Lockout Counter after : 30 minutes

IT lockout

This just sets the screen saver settings to lock computers when the user is Idle.

After running Group Policy modeling it seems like the password policy and default domain policy is getting applied to everyone.

Here is the results of group policy modeling on MO-BLANCKM using the mblanck account, as you can see the policies are both being applied , with nothing important being denied

Group Policy Results

NCLGS\mblanck on NCLGS\MO-BLANCKM

Data collected on: 12/29/2010 11:29:44 AM

Summary

Computer Configuration Summary

General

Computer name NCLGS\MO-BLANCKM

Domain NCLGS.local

Site Default-First-Site-Name

Last time Group Policy was processed 12/29/2010 10:17:58 AM

Group Policy Objects

Applied GPOs

Name Link Location Revision

Default Domain Policy NCLGS.local AD (15), Sysvol (15)

WSUS-52010 NCLGS.local/WSUS/Clients AD (54), Sysvol (54)

Password Policy NCLGS.local AD (58), Sysvol (58)

Denied GPOs

Name Link Location Reason Denied

Local Group Policy Local Empty

Security Group Membership when Group Policy was applied

BUILTIN\Administrators Everyone S-1-5-21-507921405-1326574676-682003330-1003 BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NCLGS\MO-BLANCKM$ NCLGS\Admin-ComputerAccounts-GP NCLGS\Domain Computers

WMI Filters

Name Value Reference GPO(s)

None

Component Status

Component Name Status Last Process Time

Group Policy Infrastructure Success 12/29/2010 10:17:59 AM

EFS recovery Success (no data) 10/28/2010 9:10:34 AM

Registry Success 10/28/2010 9:10:32 AM

Security Success 10/28/2010 9:10:34 AM

User Configuration Summary

General

User name NCLGS\mblanck

Domain NCLGS.local

Last time Group Policy was processed 12/29/2010 11:28:56 AM

Group Policy Objects

Applied GPOs

Name Link Location Revision

Default Domain Policy NCLGS.local AD (7), Sysvol (7)

IT-Lockout NCLGS.local/Personal/CS AD (11), Sysvol (11)

Password Policy NCLGS.local AD (5), Sysvol (5)

Denied GPOs

Name Link Location Reason Denied

Local Group Policy Local Empty

Force Password Change NCLGS.local/Personal Empty

Security Group Membership when Group Policy was applied

NCLGS\Domain Users Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL NCLGS\MissingSkidEmail NCLGS\Customer_Service NCLGS\Email_Archive NCLGS\Job Ticket Users NCLGS\Office Staff NCLGS\CUSTOMER SERVI-1 NCLGS\Prestige_Jobs_Email NCLGS\Telecommuters NCLGS\Everyone - NCL

WMI Filters

Name Value Reference GPO(s)

None

Component Status

Component Name Status Last Process Time

Group Policy Infrastructure Success 12/29/2010 11:28:56 AM

Registry Success 12/20/2010 12:05:51 PM

Scripts Success 10/13/2010 10:38:40 AM

Computer Configuration

Windows Settings

Security Settings

Account Policies/Password Policy

Policy Setting Winning GPO

Enforce password history 24 passwords remembered Password Policy

Maximum password age 180 days Password Policy

Minimum password age 14 days Password Policy

Minimum password length 6 characters Password Policy

Password must meet complexity requirements Enabled Password Policy

Store passwords using reversible encryption Disabled Password Policy

Account Policies/Account Lockout Policy

Policy Setting Winning GPO

Account lockout duration 10080 minutes Password Policy

Account lockout threshold 5 invalid logon attempts Password Policy

Reset account lockout counter after 30 minutes Password Policy

Local Policies/Security Options

Network Security

Policy Setting Winning GPO

Network security: Force logoff when logon hours expire Enabled Default Domain Policy

Public Key Policies/Autoenrollment Settings

Policy Setting Winning GPO

Enroll certificates automatically Enabled [Default setting]

Renew expired certificates, update pending certificates, and remove revoked certificates Disabled

Update certificates that use certificate templates Disabled

Public Key Policies/Encrypting File System

Properties

Winning GPO [Default setting]

Policy Setting

Allow users to encrypt files using Encrypting File System (EFS) Enabled

Certificates

Issued To Issued By Expiration Date Intended Purposes Winning GPO

SBurns SBurns 12/13/2007 5:24:30 PM File Recovery Default Domain Policy

For additional information about individual settings, launch Group Policy Object Editor.

Public Key Policies/Trusted Root Certification Authorities

Properties

Winning GPO [Default setting]

Policy Setting

Allow users to select new root certification authorities (CAs) to trust Enabled

Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

Administrative Templates

Windows Components/Windows Update

Policy Setting Winning GPO

Allow Automatic Updates immediate installation Enabled WSUS-52010

Allow non-administrators to receive update notifications Enabled WSUS-52010

Automatic Updates detection frequency Enabled WSUS-52010

Check for updates at the following

interval (hours): 1

Policy Setting Winning GPO

Configure Automatic Updates Enabled WSUS-52010

Configure automatic updating: 4 - Auto download and schedule the install

The following settings are only required

and applicable if 4 is selected.

Scheduled install day: 0 - Every day

Scheduled install time: 03:00

Policy Setting Winning GPO

No auto-restart with logged on users for scheduled automatic updates installations Disabled WSUS-52010

Re-prompt for restart with scheduled installations Enabled WSUS-52010

Wait the following period before

prompting again with a scheduled

restart (minutes): 30

Policy Setting Winning GPO

Reschedule Automatic Updates scheduled installations Enabled WSUS-52010

Wait after system

startup (minutes): 1

Policy Setting Winning GPO

Specify intranet Microsoft update service location Enabled WSUS-52010

Set the intranet update service for detecting updates: http://lavender

Set the intranet statistics server: http://lavender

(example: http://IntranetUpd01)

User Configuration

Administrative Templates

Control Panel/Display

Policy Setting Winning GPO

Hide Screen Saver tab Enabled IT-Lockout

Password protect the screen saver Enabled IT-Lockout

Screen Saver Enabled IT-Lockout

Screen Saver executable name Enabled IT-Lockout

Screen Saver executable name sstext3d.scr

Policy Setting Winning GPO

Screen Saver timeout Enabled IT-Lockout

Number of seconds to wait to enable the Screen Saver

Seconds: 1800

System/Power Management

Policy Setting Winning GPO

Prompt for password on resume from hibernate / suspend Enabled IT-Lockout

© Server Fault or respective owner

Related posts about active-directory