Jump to content

"Password Complexity" -bitch to remove.

Guest Anteaus

By Guest Anteaus
in Windows 2003 Server

 Share

Recommended Posts

Guest Anteaus

Guest Anteaus

Posted
Posted

One of the things I detest about 2003-on Server is that "Password Complexity"

policy which is forced upon you as soon as you load the AD.

 

People who put this policy on obviously hadn't got their brains in-gear that

day, as they failed to consider the problems it causes when importing users

from an existing server, or when installing a server on a site which ALREADY

has a different password policy in-force, and with which this conflicts.

 

Perhaps the daftest aspect is that despite this piece of paranoia there is

by default no password-lockout policy, allowing an intruder an infinite

number of tries at a password. I would have thought that a default

lockout-policy would have been far more important, and would not thave caused

any great problem for most installers, whereas the (undocumented and

unannounced) complexity-requirements most certainly do.

 

Anyway, the issue I keep hitting is that it is extremely difficult to remove

this policy. Even when the settings have been changed in both the Domain

Controller and Domain policies, the thing still keeps refusing to create

users because 'the password does not meet complexity requirements'

 

Other policy settings seem to work as expected.

 

I think the faliure to clear this policy (at least not without numerous

attempts) must be a bug, as I don't see how it can be anything I'm doing

wrong. If so it's one that's been around a long time, and badly needs fixed.

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: "Password Complexity" -bitch to remove.

 

Anteaus <Anteaus@discussions.microsoft.com> wrote:

> One of the things I detest about 2003-on Server is that "Password

> Complexity" policy which is forced upon you as soon as you load the

> AD.

 

Hmmmm....no it isn't. In fact, there's no password policy in place in a

vanilla W2003 AD.

>

> People who put this policy on obviously hadn't got their brains

> in-gear that day, as they failed to consider the problems it causes

> when importing users from an existing server, or when installing a

> server on a site which ALREADY has a different password policy

> in-force, and with which this conflicts.

>

> Perhaps the daftest aspect is that despite this piece of paranoia

> there is by default no password-lockout policy, allowing an intruder

> an infinite number of tries at a password. I would have thought that

> a default lockout-policy would have been far more important, and

> would not thave caused any great problem for most installers, whereas

> the (undocumented and unannounced) complexity-requirements most

> certainly do.

>

> Anyway, the issue I keep hitting is that it is extremely difficult to

> remove this policy. Even when the settings have been changed in both

> the Domain Controller and Domain policies, the thing still keeps

> refusing to create users because 'the password does not meet

> complexity requirements'

>

> Other policy settings seem to work as expected.

>

> I think the faliure to clear this policy (at least not without

> numerous attempts) must be a bug, as I don't see how it can be

> anything I'm doing wrong. If so it's one that's been around a long

> time, and badly needs fixed.

 

I know it feels good to rant, but that's really not going to help you get

help. So -

 

In which policy did you manually enable this? (I don't recommend editing

built-in policies for things like this, myself - create custom GPOs)

 

How long did you wait after undoing the complexity requirements?

 

And have you done a gpupdate/force, and then run an rsop.msc?

Guest Anteaus

Guest Anteaus

Posted
Posted

Re: "Password Complexity" -bitch to remove.

 

"Lanwench [MVP - Exchange]" wrote:

> I know it feels good to rant

 

Actually, I'm not ranting. You would know if I was. Definitely know.

 

The problem actually seems to be that the policies have somehow 'reverted' -

As you say there sould be no default policy on 2003, and I'm pretty sure

there was none immediately after the AD was setup. The restriction seems to

have sprung-up out of nowhere, a few reboots down the line. Why I don't know.

 

The first inkling of trouble was when a batch-file of 'net user /add'

commands failed owing to password-complexity restrictions. But, I'd created

a few domain-accounts manually before this with no trouble.

 

Was thinking that it might be best to create a couple of custom policies

attached to the container, as you suggest.

 

Anyway, it's cleared now, just hope it doesn't return.

 

Thanks for comments.

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: "Password Complexity" -bitch to remove.

 

Anteaus <Anteaus@discussions.microsoft.com> wrote:

> "Lanwench [MVP - Exchange]" wrote:

>

>> I know it feels good to rant

>

> Actually, I'm not ranting. You would know if I was. Definitely know.

 

Wow - I'll believe you. Remember, nobody here knows you or can see your

facial expressions when you're typing - a lot of things do not come across

as intended when put into plain text. By normal standards of netiquette,

that definitely bordered on rant. I completely understand your frustration

level, but if you want help, it's best to leave all that out. Just stick to

the plain facts. And drink heavily after work if you have to bury the pain.

;-)

>

> The problem actually seems to be that the policies have somehow

> 'reverted' -

 

Ah, but to what?

> As you say there sould be no default policy on 2003, and

> I'm pretty sure there was none immediately after the AD was setup.

 

Exactly.

>

> The restriction seems to have sprung-up out of nowhere, a few reboots

> down the line. Why I don't know.

 

Who else has access to your servers/domain admin/policies? I can't think of

any update you could've installed or updated that would have done this on

its own, honestly.

>

> The first inkling of trouble was when a batch-file of 'net user /add'

> commands failed owing to password-complexity restrictions. But, I'd

> created a few domain-accounts manually before this with no trouble.

>

> Was thinking that it might be best to create a couple of custom

> policies attached to the container, as you suggest.

 

Definitely - link custom GPOs. And create custom GPOs for your

users/company/computers/groups, nested - although password policies must

apply at the domain level. It will just make your group policy stuff

manageable in the future.

>

> Anyway, it's cleared now, just hope it doesn't return.

>

> Thanks for comments.

 

No problem - you might just chalk this up to gremlins.

 Share
Go to topic listing
×
×
  • Create New...