2

We are trying to modify our existing password policy that is being applied via GPO. For some reason it is not applying any of the settings in the password policy section (Comp Config > Policies > Windows settings > Security Settings > Account Policies > Password Policy).

We have password settings defined in only one of our GPOs. It is not the Default Domain Policy that was created on AD installation, we created a new policy and then modified this custom policy. The default domain policy is NOT linked, rather this custom domain policy is. Among other settings, the custom domain policy sets the password policies for the domain. We modified the custom policy recently to set MinPassowrdLength (MPL) to 16 characters and MaxPasswordAge (MPA) to 180 days. These settings under Password Policy are not being applied. If I change any of the Account Lockout Policy settings, they change just fine, just the Password Policy settings are not changing. I have tried changing the settings to see if they are being applied and then checking the default password policy (via PowerShell Get-ADDefaultDomainPasswordPolicy). I have tried the following (and I've tried to capture the results in the attached image):

  • Making sure that this custom policy is the first in priority at the domain level in the tree (it's the only one listed).
  • Adding a new policy and making it the highest priority at the domain level. I used different settings so that it would be apparent when I ran the PS cmdlt that I was looking at a different settings. This resulted in the Account Lockout settings changing, but NOT the Password Policy settings.
  • Making the GPO that sets our password policy as "enabled" (right-click select enabled - locking it out) this forced it to the top of the priority lists on all downline OU's, but had some VERY unintended consequences so we made it NOT enabled.
  • Ran Group Policy Results (in Group Policy Management) against the PDC and the results say the new settings should be applied to the DC.
  • Linked the Default Domain Policy and set it in priority above the custom domain policy, again Lockout policies were applied, but not Password Policy settings.

I've been reading about having to make sure that the Password Policy applies to the domain controllers as the priority GPO, if I select the OU with our PDC/DC it is listed as first AFTER the GPOs applied directly to the OU. Neither of the two GPOs applied at this OU set password policy.

We are running Windows Server 2016 Domain Controllers with Active Directory at Windows Server 2012 R2 Domain and Functional Level.

I cannot see where I am going wrong, it seems that the settings that won't change were ones that we had previously set in the custom domain policy, but I'm apparently missing something somewhere to get this to work correctly. Any help would be appreciated.

Results to go with original post Results requested in comments

yougotiger
  • 273
  • 3
  • 15
  • Use "Group Policy Result" module, in the bottom of your first screenshot, to obtain the result for different servers... – Carlos Garcia Nov 05 '19 at 23:16
  • 1
    Different regular servers or the other DC? I ran it for several of the workstations in the domain and they all indicated that the custom policy should apply, but it isn't being. I'll run it for the other DC and post results in another picture. – yougotiger Nov 05 '19 at 23:27
  • If the module shows that something must apply to a workstation (and you will know it from the result) then try to troubleshot the replication system and search in the event viewer any error related to group policy – Carlos Garcia Nov 05 '19 at 23:36
  • I have added an image with the results. I will look into GP replication on our other server then. – yougotiger Nov 05 '19 at 23:46
  • Checked the event viewer on both DC's and on a workstation and there didn't seem to be any errors applying GPOs. – yougotiger Nov 06 '19 at 00:04

1 Answers1

0

So I called MS support and they had me use the Set-ADDefaultDomainPasswordPolicy cmdlet. I didn't want to use this previously because I didn't know what to plug into the -Identity parameter. Turns out I should use our domain object (our xyz.com) and this says it set correctly. One note that we made is that the age parameters don't take a straight integer for days put in (DD.HH:MM:SS - yes that is a . not a : between DD and HH).

yougotiger
  • 273
  • 3
  • 15
  • I'm glad you solved it. What does that cmdlet exactly? did MS tell you? – Carlos Garcia Nov 06 '19 at 22:54
  • No, I'm not sure where it stores this information, it doesn't seem to modify any of the GPO's that I have applied, but it worked to change the effective policy. If you're looking for more information on using the cmdlet, googling it has plenty of information, it just wasn't clear what to put in the -identity parameter. – yougotiger Nov 12 '19 at 14:43