Password Policy seems to be ignored for new Domain on Windows Server 2008 R2

Posted by Earl Sven on Server Fault See other posts from Server Fault or by Earl Sven
Published on 2012-03-16T15:29:02Z Indexed on 2012/03/20 11:32 UTC
Read the original article Hit count: 451

I have set up a new Windows Server 2008 R2 domain controller, and have attempted to configure the Default Domain Policy to permit all types of passwords. When I want to create a new user (just a normal user) in the Domain Users and Computers application, I am prevented from doing so because of password complexity/length reasons.

The password policy options configured in the Default Domain Policy are not defined in the Default Domain Controllers Policy, but having run the Group Policy Modelling Wizard these settings do not appear to be set for the Domain Controllers OU, should they not be inherited from the Default Domain policy? Additionally, if I link the Default Domain policy to the Domain Controllers OU, the Group Policy Modelling Wizard indicates the expected values for complexity etc, but I still cannot create a new user with my desired password. The domain is running at the Windows Server 2008 R2 functional level. Any thoughts?

Thanks!

Update: Here is the "Account policy/Password policy" Section from the GPM Wizard:

Policy                           Value                     Winning GPO    
Enforce password history         0 Passwords Remembered    Default Domain Policy
Maximum password age             0 days                    Default Domain Policy
Minimum password age             0 days                    Default Domain Policy
Minimum password length          0 characters              Default Domain Policy
Passwords must meet complexity   Disabled                  Default Domain Policy

These results were taken from running the GPM Wizard at the Domain Controllers OU. I have typed them out by hand as the system I am working on is standalone, this is why the table is not exactly the wording from the Wizard. Are there any other policies that could override the above? Thanks!

© Server Fault or respective owner

Related posts about active-directory

Related posts about windows-server-2008-r2