AD Policy locked, need to unlock.. (pic inside)

bledd

bledd

bledd

Don
Joined
21 Oct 2002
Posts
46,829
Location
Parts Unknown
Right

Installing an legacy piece of software and during the install, it creates sql accounts that it uses itself, i'm getting an error message saying "password does not meet required length" from the installer log

So i need to change the min length to '1', upon going into gpedit, it has a 'lock' on the password section and is greyed out

Logged in on the domain controller as admin.
What to do?

passwordlock.jpg


No silly answers please
 
Are you editing the default domain policy, or is this a new policy.

Do it via a new policy, and place it ontop of the default domain policy to give it a higher priority.

Also are you setting this policy at the root level?
 
the only time i've really used gpedit before is for locking down xp pro machines, i'm just typing in gpedit.msc on the domain controller and going from there

will look into what you said,
cheers
 
gpedit is the local machine policy. If you're on a domain controller you cant have local logins so cant set a policy on local logon passwords. Because there is none to restrict :)

you want default domain policy if you're on the Domain Controller (programmes, admin tools, Domain Security Policy)
 
on the other pc's the change would be reflected in the screen above yes? (if i gpedit.msc'd from the other pc's)
 
no

gpedit edits the local policy. If you ran gpedit it would only effect any local PC accounts they created on the desktop. The way to check it would be to create a new user in active directory users and computers and try and give the account no password or a 1 letter password and see what error you get.

bledd. said:
how do i get it to filter down to all the machines?

thanks for the help pal
Click to expand...


this happens automatically. Desktops should pull down the settings from the domain by default. Thats why its called the default domain policy :)
 
No. gpedit.msc is for local policies only. The only way that would work is if they are not on the domain and then there would be no point.

You need to use the active directory to change the settings. On a test machine then you could run gpupdate /force from the command line and it would download the latest group policy.

If you want to view what group policies are applied to a particular PC you need to use the Resultant Set of Policies (google is your friend).


M.
 
All policies can be blocked though. This is where resultant set of policies come in place to see what policies are being applied on a particular PC.


M.
 
m4cc45 said:
All policies can be blocked though. This is where resultant set of policies come in place to see what policies are being applied on a particular PC.


M.
Click to expand...

didnt think it had got that far yet. i thought we were still at the "i havent set the policy how do i set one"

rather that "ive set one but it doesnt work" stage. By default they should all inherit the default policy unless you've set it up otherwise.
 
well i've followed what mr lol has said, and it's still on '7' when i log into the machine, it's also a windows2003r2 box if that makes any difference

i set it to 0 in the Domain Security Policy, did gpupdate etc

was last week i made the changes, just checked the machine i want it to enforce it on, and it's on 7 still

any ideas mate? :)
 
Have you tried issuing the command:

net accounts /minpwlen:0

from a command prompt, the problem you'll have is that the password length may well change but a periodic policy refresh, every 45 minutes I think will reset it back to 7 at some stage.

EDIT: Thinking about it would be much easier to duplicate whatever domain policy is setting the password length to 7, edit it then apply it to this specific machine. You may need to create a temp OU and move the machine if the policy is at computer level. After you've done the install then move the machine back and remove the policy and OUs that you created to put things back the way they were.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom