Server 2003 Password Group Policy

By ·
We are having a problem with accounts frequently locking out. I have set the GP using GPMC and analysed the RSoP. This sets the number of incorrect passwords allowed to 15. Resets the count every 10 minutes and after a lockout resets the account after 30 minutes.
However when I add the Altools dll to my system 32 and view the account atributes in AD the GP has not taken effect. The number of incorrect passwords allowed is set to 3 and the reset times are at the default of 30 minutes.
Can anybody shed any light onto this for me?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -


by p.j.hutchison In reply to Server 2003 Password Grou ...

Where did you set the policy? really password policies should only be set in the 'Default Domain Policy' and no where else.
You cannot use a different password policies elsewhere, it applies to the whole domain or no where.

Collapse -

refresh policy

by dma69593 In reply to Server 2003 Password Grou ...

Have you used the GPUDATE to refresh the policy once you made changes?

Collapse -

Domain Policy & GPUpdate

by In reply to refresh policy

The password policy is not set in the Default Domain Policy but is set in a policy that is applied at the domain level. I have used gpudate /force and allowed time for the DCs to replicate. Then I have confirmed which DC authenticated the loggon (using NLTest) but the GPMC results don't match the policy displayed on the user and computer tab additional account information that is displayed when altools acctinfo.dll is added.

Collapse -

Domain password date and policy

by klewis In reply to Domain Policy & GPUpdate

We've seen those add-in tools display incorrect information in regards to the user account's password expiration date. For some reason it does not work reliably in 2003 domains.

If you would like to try something that will show you the accurate date and info for all of your user accounts, as well as provide proactive email alerts to users with expiring passwords, visit our site and download Password Reminder PRO. It is totally free to use for two months, which should allow you time to use it to help you troubleshoot issues.
We also have a completely free tool called AD Query that lets you search user objects and displays all of their configured schema data in an easy to read console- Including friendly conversion of binay date / time tick values that are normally unreadable.

Collapse -


by In reply to Domain password date and ...

Thanks I'll look atthe tool syou mentioned.

We have solved the problem we had to set the DC passwords with a local policy. Since then all the issues have gone. GP should over write local policy but in this case they conflicted

Collapse -


by klewis In reply to solution

No problem, glad to help.

We have some excellent white papers on the lower half of our website support page that discuss how the password policy functions in AD, how to properly set it in the domain's policy hierarchy, and 'best practices' for the expiration policy itself. The white papers are from Microsoft Sr. technical advisors and are very good reads.

We also have a whitepaper on how to successfully deploy a password change policy in an existing domain while minimizing impact to users.

These resources should be of some help-

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums