Fine-Grained Password Policies not applying
Hello world,
I am trying to implement
Fine-Grained Password Policies in Windows Server 2008 Standard Edition. I
have created a Password Security Object (See below), a security group, assigned a user to the security group and finally applied the PSO to the security group.
PSO settings created by Specops Password Policy Basic:
msDS-LockoutDuration
:0:00:10:00
msDS-LockoutObservationWindow
:0:00:05:00
msDS-LockoutThreshold
:3
msDS-MaximumPasswordAge
:30:00:00:00
msDS-MinimumPasswordAge
:4:00:00:00
msDS-MinimumPasswordLength
:8
msDS-PasswordComplexityEnabled
:FALSE
msDS-PasswordHistoryLength
:12
msDS-PasswordReversibleEncryptionEnabled :FALSE
msDS-PasswordSettingsPrecedence:
:1
msDS-PSOAppliesTo
:CN=etc…
My issue is when trying to change my test accounts password. I’ve found that if I type 15 or more characters I get the flowing message:
The password is longer than older versions of Windows, such as Windows 98 or Windows 95, can use. Press Cancel to enter a new password,
or OK to proceed with this password.
If I type in less than 15 characters I get to following message:
Your Password must be at least 6 characters, cannot repeat any of your previous 1 passwords and must be at least 0 days old. Please
type in a different password. Type a password which meets these requirements in both text boxes.
When I look at the users properties under the attribute editor tab in AD, I see
msDS-ResultantPSO has my policy listed but msDS-PSOApplied says
<not set>. When I look at the attribute editor for the Security Group
msDS-PSOApplied lists my PSO.
It basically looks like my test user account is not picking up my PSO policy and therefore reverting to the default domain security policy. But I
have no idea why? Also the issue around the 15 or more characters is strange as the default password policy is set to 6 characters. so... is it defaulting to the default policy? I though it might be merging 8 + 6 = 14 hummm... I'm loosing it.
I recently performed an inline upgrade on our domain controllers from Windows Server 2003 to 2008 Standard Edition, and raised both the forest and
domain functional to Server 2008. The client computer is running Windows XP SP3 all updates inc client side extensions.
My next step (which I'll try tomorrow) is to apply the PSO directly to the test user, if that doesn't work I'll try it on a Windows 7 desktop.
If anyone has any ideas please get in touch.
Regards
Michael
July 8th, 2010 6:27pm
Hi Michael,
Based on my test and the following article, your PSO applies to user properly. If the PSO is assigned to security group, user’s msDS-PSOApplied is empty.
Step 4: View a Resultant PSO for a User or a Global Security Group
http://technet.microsoft.com/en-us/library/cc770848(WS.10).aspx
Try the command below and let us know the result.
dsget user <User-DN> -effectivepso
Please note, the second error message may also be caused by Password History or Minimum Password age settings. Try to change these settings and test again.
ThanksThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2010 8:46am
Hi Mervyn,
Thanks for your reply. Here are the results of the dsget user:
dsget user "CN=Michael Test,OU=Test-OU,DC=mydomain,DC=com" -effectivepso
effectivepso
"CN=Staff Password Policy,CN=Password Settings Container,CN=System,DC=mydomain,DC=com"
dsget succeeded
I installed a few Windows updates and restarted both of our DC’s yesterday. I’ve also changed the
msDS-MinimumPasswordAge to 00:00:00:00 (As suggested) and
tried resetting the password again and it has worked! I’m guessing that my policy of 4 days was prohibiting the change and throwing up a false positive.
I still can’t understand why I get two very different error messages. But then I found this post these posts:
http://www.eggheadcafe.com/software/aspnet/35553267/change-password-message-does-not-match-pso.aspx
Basically it says that the error messages are not correct in XP and this cannot/has not been fixed.
…And another post referring to a similar issue.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/858cdbc9-933b-4591-9dfc-f05d46f9ebbd
Basically Johncouzins’s solution was to upgrade to Windows Server 2008 R2. Unfortunately our servers are not 64bit so we cannot.
Anyway, hope this helps anyone else still running XP trying to implement PSO’s.
Thanks
Michael
July 9th, 2010 12:13pm
Glad to hear the problem was resolved. If you have more questions in the future, you’re welcomed to this forum.
Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2010 4:46am