[gptalk] Re: Password Policy behavior
- From: "Brahim Bouchaiba" <bouchaiba@xxxxxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Tue, 12 Aug 2008 20:02:19 -0400
Hi Allan,
Thanks for getting back to me,indeed My problem is number 2, you are right it
looks like the gpo expired all the passwords in AD , I wish Microsoft put KB
about this behavior.Once again thanks Allan.
gptalk@xxxxxxxxxxxxx writes:
>Hi Brahim,
>
>
>
>I am not exactly sure whether you problem is:-
>
>
>
>1. Password complexity is still enforced
>
>2. Users must reset their password when they next log on
>
>3. Users must reset their password every time they logon
>
>
>
>1. Password complexity is still enforced. You are correct that removing the
>policy stops it being enforced, however it does not reset it to the previous
>value. What you need to do is create a policy which has "password must meet
>complexity requirements"
>as "disabled". (i.e. setting the policy to ?not enabled? is not the same as
>setting the policy to ?disabled?)
>
>
>
>2. Users must reset their password when they next log on I think what may have
>happened is that when the domain controller detected the new rule that "all
>passwords must be complex", it went through and expired all passwords, so that
>the new rule could
>be enforced. If this is the case, you cannot reverse it by changing policies.
>You could write a program/script that runs through AD and unsets the "password
>expired" flag for each user but it is probably not worth the effort?
>
>
>
>3. Users must reset their password every time they logon It sounds like you
>have changed the ?maximum password age value? to 1 causing a reset every day.
>I can?t think how you would get into a position that password changes are
>forced every time you log
>on.
>
>
>Alan Cuthbertson
>
>
> Policy Management Software (Now with ADMX and Preference support):-
>http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
>
>
>ADM Template Editor(Now with ADMX support):-
>http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
>
>
>Policy Log Reporter(Free)
>http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
>
>
>
>
>
>-----Original Message-----
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
>Behalf Of Brahim Bouchaiba
>Sent: Wednesday, 13 August 2008 8:55 AM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Password Policy behavior
>
>Hi,
>
>I was asked today to setup password policy for our users, I went ahead and did
>it following the directions in this doc :
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
>
>
>when we tried it the boss didn't like the complexity of the passwords part so
>I went ahead and deleted the gpo and it's link .Now every time a user log off
>and log back in they get a message saying your password has expired and get
>prompted to change
>their it
>
>1-Now if I understand correctly once you delete any gpo and it's link all its
>settings should not be enforced anymore ?
>
>2-Is there way to reverse what's happening to our users now
>
>
>***********************
>You can unsubscribe from gptalk by sending email to
>gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
>logging into the freelists.org Web interface. Archives for the list are
>available at //www.freelists.org/archives/gptalk/
>************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
