[gptalk] Re: Difficulty applying policies

  • From: "Greg" <gwerner@xxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 11 Jan 2008 20:01:20 -0500

As a side note since you used server 2003 here are the default password 

Cannot be based on the user's account name. 
Must contains at least six characters. 
Must contains characters from three of the following four categories: 
1.)  Uppercase alphabet characters (A-Z) 
2.)  Lowercase alphabet characters (a-z) 
3.)  Arabic numerals (0-9) 
4.)  Nonalphanumeric characters (for example, !$#,%)

  ----- Original Message ----- 
  From: Paul Manley 
  To: gptalk@xxxxxxxxxxxxx 
  Sent: Friday, January 11, 2008 7:37 PM
  Subject: [gptalk] Difficulty applying policies

  Simplified Scenario:  Executives can't remember their difficult passwords.  
So we are going to let them use smaller non-complex passwords.

  Let us assume that this morning I setup Active Directory on a Windows 2003 
server with SP1, but no other updates and created a few users. 
  I've installed the Group Policy Management snap-in and created a new Group 
Policy Object ( under the Group Policy Objects folder of our domain ) called 
"Exec Password Policy".
  I've set the [Computer Configuration]->[Windows Settings]->[Security 
Settings]->[Account Policies]->[Password Policies] to be less restrictive in 
"Exec Password Policy". 
  I create a new Organizational Unit called "Executives" and place the users in 
  Now I "Link an Existing GPO..." on my "Executives" OU selecting the 
"Executive Password Policy". 

  I try to reset one of the Executives passwords, but I am not allowed:
  "Windows cannot complete the password change for Fred Executive because:  The 
password does not meet the password policy requirements.  Check the minimum 
password length, password complexity and password history requirements." 

  Those are exactly what I have just turned off.  Perhaps you could point out 
the error of my configuration.  I have setup a VM domain this morning to do 

   - Paul - 

Other related posts: