Questions

Server 2003 Password Group Policy

Tags:
+
0 Votes
Locked

Server 2003 Password Group Policy

s.green
We are having a problem with accounts frequently locking out. I have set the GP using GPMC and analysed the RSoP. This sets the number of incorrect passwords allowed to 15. Resets the count every 10 minutes and after a lockout resets the account after 30 minutes.
However when I add the Altools dll to my system 32 and view the account atributes in AD the GP has not taken effect. The number of incorrect passwords allowed is set to 3 and the reset times are at the default of 30 minutes.
Can anybody shed any light onto this for me?
  • +
    0 Votes
    p.j.hutchison

    Where did you set the policy? really password policies should only be set in the 'Default Domain Policy' and no where else.
    You cannot use a different password policies elsewhere, it applies to the whole domain or no where.

    +
    0 Votes
    dma69593

    Have you used the GPUDATE to refresh the policy once you made changes?

    +
    0 Votes
    s.green

    The password policy is not set in the Default Domain Policy but is set in a policy that is applied at the domain level. I have used gpudate /force and allowed time for the DCs to replicate. Then I have confirmed which DC authenticated the loggon (using NLTest) but the GPMC results don't match the policy displayed on the user and computer tab additional account information that is displayed when altools acctinfo.dll is added.

    +
    0 Votes
    klewis

    We've seen those add-in tools display incorrect information in regards to the user account's password expiration date. For some reason it does not work reliably in 2003 domains.

    If you would like to try something that will show you the accurate date and info for all of your user accounts, as well as provide proactive email alerts to users with expiring passwords, visit our site http://www.sysoptools.com and download Password Reminder PRO. It is totally free to use for two months, which should allow you time to use it to help you troubleshoot issues.
    We also have a completely free tool called AD Query that lets you search user objects and displays all of their configured schema data in an easy to read console- Including friendly conversion of binay date / time tick values that are normally unreadable.

    +
    0 Votes
    s.green

    Thanks I'll look atthe tool syou mentioned.

    We have solved the problem we had to set the DC passwords with a local policy. Since then all the issues have gone. GP should over write local policy but in this case they conflicted

    +
    0 Votes
    klewis

    No problem, glad to help.

    We have some excellent white papers on the lower half of our website support page http://www.sysoptools.com/support.html that discuss how the password policy functions in AD, how to properly set it in the domain's policy hierarchy, and 'best practices' for the expiration policy itself. The white papers are from Microsoft Sr. technical advisors and are very good reads.

    We also have a whitepaper on how to successfully deploy a password change policy in an existing domain while minimizing impact to users.

    These resources should be of some help-

  • +
    0 Votes
    p.j.hutchison

    Where did you set the policy? really password policies should only be set in the 'Default Domain Policy' and no where else.
    You cannot use a different password policies elsewhere, it applies to the whole domain or no where.

    +
    0 Votes
    dma69593

    Have you used the GPUDATE to refresh the policy once you made changes?

    +
    0 Votes
    s.green

    The password policy is not set in the Default Domain Policy but is set in a policy that is applied at the domain level. I have used gpudate /force and allowed time for the DCs to replicate. Then I have confirmed which DC authenticated the loggon (using NLTest) but the GPMC results don't match the policy displayed on the user and computer tab additional account information that is displayed when altools acctinfo.dll is added.

    +
    0 Votes
    klewis

    We've seen those add-in tools display incorrect information in regards to the user account's password expiration date. For some reason it does not work reliably in 2003 domains.

    If you would like to try something that will show you the accurate date and info for all of your user accounts, as well as provide proactive email alerts to users with expiring passwords, visit our site http://www.sysoptools.com and download Password Reminder PRO. It is totally free to use for two months, which should allow you time to use it to help you troubleshoot issues.
    We also have a completely free tool called AD Query that lets you search user objects and displays all of their configured schema data in an easy to read console- Including friendly conversion of binay date / time tick values that are normally unreadable.

    +
    0 Votes
    s.green

    Thanks I'll look atthe tool syou mentioned.

    We have solved the problem we had to set the DC passwords with a local policy. Since then all the issues have gone. GP should over write local policy but in this case they conflicted

    +
    0 Votes
    klewis

    No problem, glad to help.

    We have some excellent white papers on the lower half of our website support page http://www.sysoptools.com/support.html that discuss how the password policy functions in AD, how to properly set it in the domain's policy hierarchy, and 'best practices' for the expiration policy itself. The white papers are from Microsoft Sr. technical advisors and are very good reads.

    We also have a whitepaper on how to successfully deploy a password change policy in an existing domain while minimizing impact to users.

    These resources should be of some help-