I know I have read many posts in many places about turning off password complexity in Server 2008. Our domain is native 2008r2 with three DCs. I have disabled the password complexity in the default domain policy and have made sure no other gpos contains anything pertaining to passwords. I have even tried creating a new password object and applying it. We have rebooted all of the DCs, even workstations but we still continue to receive the message. This has been going on for weeks. Does anyone have any other ideas or things to check?

Two things to check on. 1) setting the values to "Not Defined" is NOT the same thing as disabling the policy if you have another policy with a higher precedence. 2) password policy is not required to be defined in the "Default Domain Policy". Check to make sure you do not have any other policy linked at the Domain object and/or Domain Controllers OU. How to Implement an Active Directory Password Policy http://www.anitkb.com/2010/03/how-to-implement-active-directory.html Visit: anITKB.com, an IT Knowledge Base.

Hello, please post the current settings you have in the GPO set on domain level.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I checked to be sure there were no other policies that contained any password settings. Below are the current settings in the Default Domain Policy: Enforce password history: 3 remembered Maximum password age: 90 days Minimum password age: 0 day Minimum password length: 6 characters Pass must meet complexity requirements: disabled Store passwords using reversible encryption: disabled Now something strange that I have noticed this weekend is after setting these above, when I checked the next day they were back to default settings with complexity stating it was enabled. I'm not sure why this is being reset back to policy default, but what ever is causing this may be my issue even though it does not work after resetting the entries. There are only two DCs in this child domain, one gui and one core. They appear to be replicating perfectly.

Hello, just to make sure, does it look like this: http://www.petri.co.il/images/disable_pwd_req2.gif from: http://www.petri.co.il/disable_password_requirement_in_win2003_domain.htm Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Yes. I doubled checked to be sure it was 'disabled' and just not enabled at all.

Hello JenMck, You have also verified that there are no GPOs applied to the "Domain Controllers" container which have Password Policy settings? Also, in your statement, "Now something strange that I have noticed this weekend is after setting these above, when I checked the next day they were back to default settings with complexity stating it was enabled." did you find any other clues as to what could be the cause?Visit: anITKB.com, an IT Knowledge Base.

I have verified that thisis the only gpo containing any password policy settings. There are currently only four gpos in this domain. As to my other statement, I have found no clues giving me any indications. I made sure that replication was working correctly between the two. I cannot see any reason why the settings would default back to the original gpo state after many hours. This is the first time I have seen this, however this is our first full 2008 child domain in the forest. the others are a mix of 2003 and 2008. This shouldn't make a difference, but if this is some sort of security issue with 2008 I am unaware of it.

hmmm? thinking, thinking... hmmmm? Ok, no other security issues in 2008. I have to ask...You do not have any Fine Grained Password Policies (FGGPs) in place either correct? Since you have verified there are no other GPOs, this is the only other possibility I can think of. Of course, the strange behavior you experienced with the settings coming back is still a concern.Visit: anITKB.com, an IT Knowledge Base.

Hi JenMck, Thanks for posting here. According the situation right now, here is some suggestion for you reference: 1. Please refer to the following Microsoft Knowledge Base article to ensure “Block Policy Inheritance” option is not enabled on the Domain Controllers OU. Changes are not applied when you change the password policy http://support.microsoft.com/?id=269236 2. Create a new password complexity policy and link the policy to the Domain Controllers OU. In this policy, please disable password complexity policy. 3. Force replication and refresh policy on both domain controllers Meanwhile ,please compare group policy setting of both domain controller by using GPMC Result report ,make sure the policy setting is synchronized. Reporting on GPO Settings http://technet.microsoft.com/en-us/library/cc775413(WS.10).aspx Please post the result here. Thanks. Tiger Li Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you. I'll create another policy and apply at the domain controllers OU. I'll let you know if this works.

Ok. After four hours, running gpupdate /force and rebooting and DCs it still requires the complexity. The gpo I created has the password complexity set as 'disabled' and no other settings in it. I am stumped.

Based on your description, we are all stumped. Even if you block inheritance at the Domain Controlllers OU and create a new policy with the settings disabled, if there is an Enforced policy linked to the domain object level, it will override the Block Inheritance. Again, the only two areas of focus here should be the domain object level and the domain controllers OU level. These are the only two places that can possibly be applying policy to domain users (also the FGGP I mentioned in my previous post in this thread). We have to assume that you are clearing looking in those locations and providing the correct feedack to our suggestions. I am still concerned about the settings "magically" reverting back. Have you tried to recreate this issue in a lab environment? Visit: anITKB.com, an IT Knowledge Base.

I have not tried in a lab environment as we do not currently have the equipment for me to set this up. I was however after two days able to get the password settings in the Default Domain policy to stick. I'm thinking they may have been some sort of latency between the hub site and the local campus site making replication a little off. I appreciate everyone's help. I'm not sure what else to try or where to look. If anyone comes up with any other ideas, please let me know. If I happen to have an aha moment, i'll post in case someone else runs into this issue.

ok. I finally got it to work correctly. I had to go onto the DCs themselves and change the local security policy. Not sure why I had to take this route, but this seemed to work for me.