Guest Anteaus Posted March 20, 2008 Posted March 20, 2008 One of the things I detest about 2003-on Server is that "Password Complexity" policy which is forced upon you as soon as you load the AD. People who put this policy on obviously hadn't got their brains in-gear that day, as they failed to consider the problems it causes when importing users from an existing server, or when installing a server on a site which ALREADY has a different password policy in-force, and with which this conflicts. Perhaps the daftest aspect is that despite this piece of paranoia there is by default no password-lockout policy, allowing an intruder an infinite number of tries at a password. I would have thought that a default lockout-policy would have been far more important, and would not thave caused any great problem for most installers, whereas the (undocumented and unannounced) complexity-requirements most certainly do. Anyway, the issue I keep hitting is that it is extremely difficult to remove this policy. Even when the settings have been changed in both the Domain Controller and Domain policies, the thing still keeps refusing to create users because 'the password does not meet complexity requirements' Other policy settings seem to work as expected. I think the faliure to clear this policy (at least not without numerous attempts) must be a bug, as I don't see how it can be anything I'm doing wrong. If so it's one that's been around a long time, and badly needs fixed.
Guest Lanwench [MVP - Exchange] Posted March 20, 2008 Posted March 20, 2008 Re: "Password Complexity" -bitch to remove. Anteaus <Anteaus@discussions.microsoft.com> wrote: > One of the things I detest about 2003-on Server is that "Password > Complexity" policy which is forced upon you as soon as you load the > AD. Hmmmm....no it isn't. In fact, there's no password policy in place in a vanilla W2003 AD. > > People who put this policy on obviously hadn't got their brains > in-gear that day, as they failed to consider the problems it causes > when importing users from an existing server, or when installing a > server on a site which ALREADY has a different password policy > in-force, and with which this conflicts. > > Perhaps the daftest aspect is that despite this piece of paranoia > there is by default no password-lockout policy, allowing an intruder > an infinite number of tries at a password. I would have thought that > a default lockout-policy would have been far more important, and > would not thave caused any great problem for most installers, whereas > the (undocumented and unannounced) complexity-requirements most > certainly do. > > Anyway, the issue I keep hitting is that it is extremely difficult to > remove this policy. Even when the settings have been changed in both > the Domain Controller and Domain policies, the thing still keeps > refusing to create users because 'the password does not meet > complexity requirements' > > Other policy settings seem to work as expected. > > I think the faliure to clear this policy (at least not without > numerous attempts) must be a bug, as I don't see how it can be > anything I'm doing wrong. If so it's one that's been around a long > time, and badly needs fixed. I know it feels good to rant, but that's really not going to help you get help. So - In which policy did you manually enable this? (I don't recommend editing built-in policies for things like this, myself - create custom GPOs) How long did you wait after undoing the complexity requirements? And have you done a gpupdate/force, and then run an rsop.msc?
Guest Anteaus Posted March 20, 2008 Posted March 20, 2008 Re: "Password Complexity" -bitch to remove. "Lanwench [MVP - Exchange]" wrote: > I know it feels good to rant Actually, I'm not ranting. You would know if I was. Definitely know. The problem actually seems to be that the policies have somehow 'reverted' - As you say there sould be no default policy on 2003, and I'm pretty sure there was none immediately after the AD was setup. The restriction seems to have sprung-up out of nowhere, a few reboots down the line. Why I don't know. The first inkling of trouble was when a batch-file of 'net user /add' commands failed owing to password-complexity restrictions. But, I'd created a few domain-accounts manually before this with no trouble. Was thinking that it might be best to create a couple of custom policies attached to the container, as you suggest. Anyway, it's cleared now, just hope it doesn't return. Thanks for comments.
Guest Lanwench [MVP - Exchange] Posted March 21, 2008 Posted March 21, 2008 Re: "Password Complexity" -bitch to remove. Anteaus <Anteaus@discussions.microsoft.com> wrote: > "Lanwench [MVP - Exchange]" wrote: > >> I know it feels good to rant > > Actually, I'm not ranting. You would know if I was. Definitely know. Wow - I'll believe you. Remember, nobody here knows you or can see your facial expressions when you're typing - a lot of things do not come across as intended when put into plain text. By normal standards of netiquette, that definitely bordered on rant. I completely understand your frustration level, but if you want help, it's best to leave all that out. Just stick to the plain facts. And drink heavily after work if you have to bury the pain. ;-) > > The problem actually seems to be that the policies have somehow > 'reverted' - Ah, but to what? > As you say there sould be no default policy on 2003, and > I'm pretty sure there was none immediately after the AD was setup. Exactly. > > The restriction seems to have sprung-up out of nowhere, a few reboots > down the line. Why I don't know. Who else has access to your servers/domain admin/policies? I can't think of any update you could've installed or updated that would have done this on its own, honestly. > > The first inkling of trouble was when a batch-file of 'net user /add' > commands failed owing to password-complexity restrictions. But, I'd > created a few domain-accounts manually before this with no trouble. > > Was thinking that it might be best to create a couple of custom > policies attached to the container, as you suggest. Definitely - link custom GPOs. And create custom GPOs for your users/company/computers/groups, nested - although password policies must apply at the domain level. It will just make your group policy stuff manageable in the future. > > Anyway, it's cleared now, just hope it doesn't return. > > Thanks for comments. No problem - you might just chalk this up to gremlins.
Recommended Posts