Active Directory Password Policy Problem
Posted
by
Will
on Server Fault
See other posts from Server Fault
or by Will
Published on 2010-12-29T17:39:58Z
Indexed on
2010/12/29
17:56 UTC
Read the original article
Hit count: 530
active-directory
To Clarify: my question is why isn't my password policy applying to people in the domain.
Hey guys, having trouble with our password policy in Active Directory. Sometimes it just helps me to type out what I’m seeing
It appears to not be applying properly across the board. I am new to this environment and AD in general but I think I have a general grasp of what should be going on.
It’s a pretty simple AD setup without too many Group Policies being applied.
It looks something like this
DOMAIN
Default Domain Policy (link enabled)
Password Policy (link enabled and enforce)
Personal OU
Force Password Change (completely empty nothing in this GPO)
IT OU
Lockout Policy (link enabled and enforced)
CS OU
Lockout Policy
Accouting OU
Lockout Policy
The password policy and default domain policy both define the same things under Computer Config>Windows seetings> sec settings> Account Policies / Password Policy
Enforce password History : 24 passwords remembered
Maximum Password age : 180 days
Min password age: 14 days
Minimum Password Length: 6 characters
Password must meet complexity requirements: Enabled
Store Passwords using reversible encryption: Disabled
Account Policies / Account Lockout Policy
Account Lockout Duration 10080 Minutes
Account Lockout Threshold: 5 invalid login attempts
Reset Account Lockout Counter after : 30 minutes
IT lockout
This just sets the screen saver settings to lock computers when the user is Idle.
After running Group Policy modeling it seems like the password policy and default domain policy is getting applied to everyone.
Here is the results of group policy modeling on MO-BLANCKM using the mblanck account, as you can see the policies are both being applied , with nothing important being denied
Group Policy Results
NCLGS\mblanck on NCLGS\MO-BLANCKM
Data collected on: 12/29/2010 11:29:44 AM
Summary
Computer Configuration Summary
General
Computer name NCLGS\MO-BLANCKM
Domain NCLGS.local
Site Default-First-Site-Name
Last time Group Policy was processed 12/29/2010 10:17:58 AM
Group Policy Objects
Applied GPOs
Name Link Location Revision
Default Domain Policy NCLGS.local AD (15), Sysvol (15)
WSUS-52010 NCLGS.local/WSUS/Clients AD (54), Sysvol (54)
Password Policy NCLGS.local AD (58), Sysvol (58)
Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
Security Group Membership when Group Policy was applied
BUILTIN\Administrators Everyone S-1-5-21-507921405-1326574676-682003330-1003 BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NCLGS\MO-BLANCKM$ NCLGS\Admin-ComputerAccounts-GP NCLGS\Domain Computers
WMI Filters
Name Value Reference GPO(s)
None
Component Status
Component Name Status Last Process Time
Group Policy Infrastructure Success 12/29/2010 10:17:59 AM
EFS recovery Success (no data) 10/28/2010 9:10:34 AM
Registry Success 10/28/2010 9:10:32 AM
Security Success 10/28/2010 9:10:34 AM
User Configuration Summary
General
User name NCLGS\mblanck
Domain NCLGS.local
Last time Group Policy was processed 12/29/2010 11:28:56 AM
Group Policy Objects
Applied GPOs
Name Link Location Revision
Default Domain Policy NCLGS.local AD (7), Sysvol (7)
IT-Lockout NCLGS.local/Personal/CS AD (11), Sysvol (11)
Password Policy NCLGS.local AD (5), Sysvol (5)
Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
Force Password Change NCLGS.local/Personal Empty
Security Group Membership when Group Policy was applied
NCLGS\Domain Users Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL NCLGS\MissingSkidEmail NCLGS\Customer_Service NCLGS\Email_Archive NCLGS\Job Ticket Users NCLGS\Office Staff NCLGS\CUSTOMER SERVI-1 NCLGS\Prestige_Jobs_Email NCLGS\Telecommuters NCLGS\Everyone - NCL
WMI Filters
Name Value Reference GPO(s)
None
Component Status
Component Name Status Last Process Time
Group Policy Infrastructure Success 12/29/2010 11:28:56 AM
Registry Success 12/20/2010 12:05:51 PM
Scripts Success 10/13/2010 10:38:40 AM
Computer Configuration
Windows Settings
Security Settings
Account Policies/Password Policy
Policy Setting Winning GPO
Enforce password history 24 passwords remembered Password Policy
Maximum password age 180 days Password Policy
Minimum password age 14 days Password Policy
Minimum password length 6 characters Password Policy
Password must meet complexity requirements Enabled Password Policy
Store passwords using reversible encryption Disabled Password Policy
Account Policies/Account Lockout Policy
Policy Setting Winning GPO
Account lockout duration 10080 minutes Password Policy
Account lockout threshold 5 invalid logon attempts Password Policy
Reset account lockout counter after 30 minutes Password Policy
Local Policies/Security Options
Network Security
Policy Setting Winning GPO
Network security: Force logoff when logon hours expire Enabled Default Domain Policy
Public Key Policies/Autoenrollment Settings
Policy Setting Winning GPO
Enroll certificates automatically Enabled [Default setting]
Renew expired certificates, update pending certificates, and remove revoked certificates Disabled
Update certificates that use certificate templates Disabled
Public Key Policies/Encrypting File System
Properties
Winning GPO [Default setting]
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Certificates
Issued To Issued By Expiration Date Intended Purposes Winning GPO
SBurns SBurns 12/13/2007 5:24:30 PM File Recovery Default Domain Policy
For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authorities
Properties
Winning GPO [Default setting]
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Administrative Templates
Windows Components/Windows Update
Policy Setting Winning GPO
Allow Automatic Updates immediate installation Enabled WSUS-52010
Allow non-administrators to receive update notifications Enabled WSUS-52010
Automatic Updates detection frequency Enabled WSUS-52010
Check for updates at the following
interval (hours): 1
Policy Setting Winning GPO
Configure Automatic Updates Enabled WSUS-52010
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting Winning GPO
No auto-restart with logged on users for scheduled automatic updates installations Disabled WSUS-52010
Re-prompt for restart with scheduled installations Enabled WSUS-52010
Wait the following period before
prompting again with a scheduled
restart (minutes): 30
Policy Setting Winning GPO
Reschedule Automatic Updates scheduled installations Enabled WSUS-52010
Wait after system
startup (minutes): 1
Policy Setting Winning GPO
Specify intranet Microsoft update service location Enabled WSUS-52010
Set the intranet update service for detecting updates: http://lavender
Set the intranet statistics server: http://lavender
(example: http://IntranetUpd01)
User Configuration
Administrative Templates
Control Panel/Display
Policy Setting Winning GPO
Hide Screen Saver tab Enabled IT-Lockout
Password protect the screen saver Enabled IT-Lockout
Screen Saver Enabled IT-Lockout
Screen Saver executable name Enabled IT-Lockout
Screen Saver executable name sstext3d.scr
Policy Setting Winning GPO
Screen Saver timeout Enabled IT-Lockout
Number of seconds to wait to enable the Screen Saver
Seconds: 1800
System/Power Management
Policy Setting Winning GPO
Prompt for password on resume from hibernate / suspend Enabled IT-Lockout
© Server Fault or respective owner