Active Directory Password Policy Problem
- by Will
To Clarify: my question is why isn't my password policy applying to people in the domain.
Hey guys, having trouble with our password policy in Active Directory. Sometimes it just helps me to type out what I’m seeing
It appears to not be applying properly across the board. I am new to this environment and AD in general but I think I have a general grasp of what should be going on.
It’s a pretty simple AD setup without too many Group Policies being applied.
It looks something like this
DOMAIN
Default Domain Policy (link enabled)
Password Policy (link enabled and enforce)
Personal OU
Force Password Change (completely empty nothing in this GPO)
IT OU
Lockout Policy (link enabled and enforced)
CS OU
Lockout Policy
Accouting OU
Lockout Policy
The password policy and default domain policy both define the same things under Computer ConfigWindows seetings sec settings Account Policies / Password Policy
Enforce password History : 24 passwords remembered
Maximum Password age : 180 days
Min password age: 14 days
Minimum Password Length: 6 characters
Password must meet complexity requirements: Enabled
Store Passwords using reversible encryption: Disabled
Account Policies / Account Lockout Policy
Account Lockout Duration 10080 Minutes
Account Lockout Threshold: 5 invalid login attempts
Reset Account Lockout Counter after : 30 minutes
IT lockout
This just sets the screen saver settings to lock computers when the user is Idle.
After running Group Policy modeling it seems like the password policy and default domain policy is getting applied to everyone.
Here is the results of group policy modeling on MO-BLANCKM using the mblanck account, as you can see the policies are both being applied , with nothing important being denied
Group Policy Results
NCLGS\mblanck on NCLGS\MO-BLANCKM
Data collected on: 12/29/2010 11:29:44 AM
Summary
Computer Configuration Summary
General
Computer name
NCLGS\MO-BLANCKM
Domain
NCLGS.local
Site
Default-First-Site-Name
Last time Group Policy was processed
12/29/2010 10:17:58 AM
Group Policy Objects
Applied GPOs
Name
Link Location
Revision
Default Domain Policy
NCLGS.local
AD (15), Sysvol (15)
WSUS-52010
NCLGS.local/WSUS/Clients
AD (54), Sysvol (54)
Password Policy
NCLGS.local
AD (58), Sysvol (58)
Denied GPOs
Name
Link Location
Reason Denied
Local Group Policy
Local
Empty
Security Group Membership when Group Policy was applied
BUILTIN\Administrators
Everyone
S-1-5-21-507921405-1326574676-682003330-1003
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NCLGS\MO-BLANCKM$
NCLGS\Admin-ComputerAccounts-GP
NCLGS\Domain Computers
WMI Filters
Name
Value
Reference GPO(s)
None
Component Status
Component Name
Status
Last Process Time
Group Policy Infrastructure
Success
12/29/2010 10:17:59 AM
EFS recovery
Success (no data)
10/28/2010 9:10:34 AM
Registry
Success
10/28/2010 9:10:32 AM
Security
Success
10/28/2010 9:10:34 AM
User Configuration Summary
General
User name
NCLGS\mblanck
Domain
NCLGS.local
Last time Group Policy was processed
12/29/2010 11:28:56 AM
Group Policy Objects
Applied GPOs
Name
Link Location
Revision
Default Domain Policy
NCLGS.local
AD (7), Sysvol (7)
IT-Lockout
NCLGS.local/Personal/CS
AD (11), Sysvol (11)
Password Policy
NCLGS.local
AD (5), Sysvol (5)
Denied GPOs
Name
Link Location
Reason Denied
Local Group Policy
Local
Empty
Force Password Change
NCLGS.local/Personal
Empty
Security Group Membership when Group Policy was applied
NCLGS\Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
NCLGS\MissingSkidEmail
NCLGS\Customer_Service
NCLGS\Email_Archive
NCLGS\Job Ticket Users
NCLGS\Office Staff
NCLGS\CUSTOMER SERVI-1
NCLGS\Prestige_Jobs_Email
NCLGS\Telecommuters
NCLGS\Everyone - NCL
WMI Filters
Name
Value
Reference GPO(s)
None
Component Status
Component Name
Status
Last Process Time
Group Policy Infrastructure
Success
12/29/2010 11:28:56 AM
Registry
Success
12/20/2010 12:05:51 PM
Scripts
Success
10/13/2010 10:38:40 AM
Computer Configuration
Windows Settings
Security Settings
Account Policies/Password Policy
Policy
Setting
Winning GPO
Enforce password history
24 passwords remembered
Password Policy
Maximum password age
180 days
Password Policy
Minimum password age
14 days
Password Policy
Minimum password length
6 characters
Password Policy
Password must meet complexity requirements
Enabled
Password Policy
Store passwords using reversible encryption
Disabled
Password Policy
Account Policies/Account Lockout Policy
Policy
Setting
Winning GPO
Account lockout duration
10080 minutes
Password Policy
Account lockout threshold
5 invalid logon attempts
Password Policy
Reset account lockout counter after
30 minutes
Password Policy
Local Policies/Security Options
Network Security
Policy
Setting
Winning GPO
Network security: Force logoff when logon hours expire
Enabled
Default Domain Policy
Public Key Policies/Autoenrollment Settings
Policy
Setting
Winning GPO
Enroll certificates automatically
Enabled
[Default setting]
Renew expired certificates, update pending certificates, and remove revoked certificates
Disabled
Update certificates that use certificate templates
Disabled
Public Key Policies/Encrypting File System
Properties
Winning GPO
[Default setting]
Policy
Setting
Allow users to encrypt files using Encrypting File System (EFS)
Enabled
Certificates
Issued To
Issued By
Expiration Date
Intended Purposes
Winning GPO
SBurns
SBurns
12/13/2007 5:24:30 PM
File Recovery
Default Domain Policy
For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authorities
Properties
Winning GPO
[Default setting]
Policy
Setting
Allow users to select new root certification authorities (CAs) to trust
Enabled
Client computers can trust the following certificate stores
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria
Registered in Active Directory only
Administrative Templates
Windows Components/Windows Update
Policy
Setting
Winning GPO
Allow Automatic Updates immediate installation
Enabled
WSUS-52010
Allow non-administrators to receive update notifications
Enabled
WSUS-52010
Automatic Updates detection frequency
Enabled
WSUS-52010
Check for updates at the following
interval (hours):
1
Policy
Setting
Winning GPO
Configure Automatic Updates
Enabled
WSUS-52010
Configure automatic updating:
4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:
0 - Every day
Scheduled install time:
03:00
Policy
Setting
Winning GPO
No auto-restart with logged on users for scheduled automatic updates installations
Disabled
WSUS-52010
Re-prompt for restart with scheduled installations
Enabled
WSUS-52010
Wait the following period before
prompting again with a scheduled
restart (minutes):
30
Policy
Setting
Winning GPO
Reschedule Automatic Updates scheduled installations
Enabled
WSUS-52010
Wait after system
startup (minutes):
1
Policy
Setting
Winning GPO
Specify intranet Microsoft update service location
Enabled
WSUS-52010
Set the intranet update service for detecting updates:
http://lavender
Set the intranet statistics server:
http://lavender
(example: http://IntranetUpd01)
User Configuration
Administrative Templates
Control Panel/Display
Policy
Setting
Winning GPO
Hide Screen Saver tab
Enabled
IT-Lockout
Password protect the screen saver
Enabled
IT-Lockout
Screen Saver
Enabled
IT-Lockout
Screen Saver executable name
Enabled
IT-Lockout
Screen Saver executable name
sstext3d.scr
Policy
Setting
Winning GPO
Screen Saver timeout
Enabled
IT-Lockout
Number of seconds to wait to enable the Screen Saver
Seconds:
1800
System/Power Management
Policy
Setting
Winning GPO
Prompt for password on resume from hibernate / suspend
Enabled
IT-Lockout
