[gptalk] Re: Password Policy behavior

  • From: "Brahim Bouchaiba" <bouchaiba@xxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 12 Aug 2008 20:02:19 -0400

Hi Allan,


Thanks for getting back to me,indeed My problem is number 2, you are right it 
looks like the gpo expired all the passwords in AD , I wish Microsoft put KB 
about this behavior.Once again thanks Allan.






gptalk@xxxxxxxxxxxxx writes:
>Hi Brahim,
>
> 
>
>I am not exactly sure whether you problem is:-
>
> 
>
>1. Password complexity is still enforced
>
>2. Users must reset their password when they next log on
>
>3. Users must reset their password every time they logon
>
> 
>
>1. Password complexity is still enforced. You are correct that removing the 
>policy stops it being enforced, however it does not reset it to the previous 
>value. What you need to do is create a policy which has "password must meet 
>complexity requirements"
>as "disabled". (i.e. setting the policy to ?not enabled? is not the same as 
>setting the policy to ?disabled?) 
>
> 
>
>2. Users must reset their password when they next log on I think what may have 
>happened is that when the domain controller detected the new rule that "all 
>passwords must be complex", it went through and expired all passwords, so that 
>the new rule could
>be enforced. If this is the case, you cannot reverse it by changing policies. 
>You could write a program/script that runs through AD and unsets the "password 
>expired" flag for each user but it is probably not worth the effort?
>
> 
>
>3. Users must reset their password every time they logon It sounds like you 
>have changed the ?maximum password age value? to 1 causing a reset every day. 
>I can?t think how you would get into a position that password changes are 
>forced every time you log
>on.
>
> 
>Alan Cuthbertson
> 
> 
> Policy Management Software (Now with ADMX and Preference support):-
>http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
>
> 
>ADM Template Editor(Now with ADMX support):-
>http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
>
> 
>Policy Log Reporter(Free)
>http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
>
> 
> 
> 
> 
>-----Original Message-----
>From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
>Behalf Of Brahim Bouchaiba
>Sent: Wednesday, 13 August 2008 8:55 AM
>To: gptalk@xxxxxxxxxxxxx
>Subject: [gptalk] Password Policy behavior
> 
>Hi,
> 
>I was asked today to setup password policy for our users, I went ahead and did 
>it following the directions in this doc :
> 
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
> 
> 
>when we tried it the boss didn't like the complexity of the passwords part so 
>I went ahead and deleted the gpo and it's link .Now every time a user log off  
>and log back in they get a message saying your password has expired and get  
>prompted to change
>their  it 
> 
>1-Now if I understand correctly once you delete any gpo and it's link all its 
>settings should not be enforced anymore ?
> 
>2-Is there way to reverse what's happening to our users now 
> 
> 
>***********************
>You can unsubscribe from gptalk by sending email to 
>gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
>logging into the freelists.org Web interface. Archives for the list are 
>available at http://www.freelists.org/archives/gptalk/
>************************


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: