[gptalk] Re: Password Policy behavior

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 13 Aug 2008 09:44:54 +1000

Hi Brahim,


I am not exactly sure whether you problem is:-


1. Password complexity is still enforced

2. Users must reset their password when they next log on

3. Users must reset their password every time they logon


1. Password complexity is still enforced. You are correct that removing the
policy stops it being enforced, however it does not reset it to the previous
value. What you need to do is create a policy which has "password must meet
complexity requirements" as "disabled". (i.e. setting the policy to "not
enabled" is not the same as setting the policy to "disabled") 


2. Users must reset their password when they next log on I think what may
have happened is that when the domain controller detected the new rule that
"all passwords must be complex", it went through and expired all passwords,
so that the new rule could be enforced. If this is the case, you cannot
reverse it by changing policies. You could write a program/script that runs
through AD and unsets the "password expired" flag for each user but it is
probably not worth the effort.


3. Users must reset their password every time they logon It sounds like you
have changed the "maximum password age value" to 1 causing a reset every
day. I can't think how you would get into a position that password changes
are forced every time you log on.


Alan Cuthbertson



 Policy Management Software (Now with ADMX and Preference support):-



ADM Template Editor(Now with ADMX support):-



Policy Log Reporter(Free)






-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Brahim Bouchaiba
Sent: Wednesday, 13 August 2008 8:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Password Policy behavior




I was asked today to setup password policy for our users, I went ahead and
did it following the directions in this doc :





when we tried it the boss didn't like the complexity of the passwords part
so I went ahead and deleted the gpo and it's link .Now every time a user log
off  and log back in they get a message saying your password has expired and
get  prompted to change

their  it 


1-Now if I understand correctly once you delete any gpo and it's link all
its settings should not be enforced anymore ?


2-Is there way to reverse what's happening to our users now 




You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/


Other related posts: