0

In my Samba Active Directory Domain, I want to allow passwords that are long (passphrase) and based only on small caps and special characters, i.e. no requirement for large caps and numbers.

In order to do so, I created a new domain wide GPO for authenticated users where I disabled the complexity check (Password must meet password complexity requirement) and instead increased the minimum password length to 10.

I ran gpupdate to make sure the policy was distributed to the computer I'm sitting on. Unfortunately, this didn't have the expected effect, I still get the error message that my new password is not in line with the password policy.

A quick check using gpresult /v reveals the following information: 

    Account Policies
    ----------------
        GPO: Default Domain Policy
            Policy:            MaximumPasswordAge
            Computer Setting:  180

        GPO: Default Domain Policy
            Policy:            MinimumPasswordAge
            Computer Setting:  15

        GPO: Default Domain Policy
            Policy:            MinimumPasswordLength
            Computer Setting:  10

    Security Options
    ----------------
        GPO: Default Domain Policy
            Policy:            PasswordComplexity
            Computer Setting:  Not Enabled

What went wrong?

Update: Since a few commenters suggested I should do it via the Default Policy, I did that. The result remains exactly the same. I am attaching a screenshot of the policy just to avoid any doubt.

SreenshotDefaultPolicy

And here is a screenshot of the local security policy which confirms that the GPO was indeed applied. It looks fine but I can still create 8 digit passwords for domain users and they must include large caps and a number.

ScreenshotLocalPolicy

vic
  • 973
  • 1
  • 10
  • 22
  • The password policy is set in default domain policy – Dale Jun 04 '16 at 10:39
  • Or, more generally, the scope of the GPO does not include the computer or user in question. Also, I'm pretty sure some policies can not be updated with a `gpupdate` and instead require a restart. – Todd Wilcox Jun 04 '16 at 11:26
  • This GPO sits in the domain node, right under the default domain policy (which I never touched). I only have one domain so all users and computers should be affected by the policy. No? – vic Jun 04 '16 at 11:28
  • Btw: Restarting the computer did not change anything. – vic Jun 04 '16 at 11:30

2 Answers2

2

Ok, this caught me completely off guard. While a Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety. The solution is to turn off complexity directly on the Samba server, using 

# samba-tool domain passwordsettings set --complexity=off

I have not initially declared that I'm using Samba so the other answers and comments are entirely valid for a Microsoft-only domain. I will adapt my question to reflect the use of Samba.

Update for clarification: As Joe pointed out, the GPO for the password settings is applied to the domain controller itself and not the clients like with regular GPOs. And that is the reason why this GPO could not take effect on a Samba DC. Samba can only serve GPOs, not apply them to itself.

vic
  • 973
  • 1
  • 10
  • 22
1

Ignoring FGPP, there can be only one domain Password Policy. This is by default defined in the Default Domain Policy GPO. If you want to use a different Password Policy GPO then you need to link it to the domain and give it a higher precedence than the Default Domain Policy GPO. I suspect that's where your problem lies.

https://blogs.manageengine.com/active-directory/2014/05/16/domain-password-policies-configuring-and-auditing-correctly.html

EDIT:

Something to understand is that the Password Policy affects the local security accounts database. This means that when you're looking at the settings on a member computer you're looking at the settings that are applied to the local security account database on that member computer and will affect local user accounts on that member computer. For Active Directory users the local security account database is the Active Directory database, which is stored on the Domain Controllers. If you want to see what the Password Policy is for the domain then you need to run the Group Policy Results wizard against a Domain Controller, not against a member computer. Run that and post your results in your question.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Thanks for the interesting link. I'm not using FGPP, by the way. So, I followed these instructions and gave my PasswdPolicy the highest preference. Ran gpupdate, and restarted the computer. Still no change. gpresult /v gives me the same result as above - the 12 character requirement was taken over from the new policy, but not the complexity check. I will check to see what happens if I just unlink this separate policy and do it through the default policy. – vic Jun 04 '16 at 14:35
  • Same situation. See updated question. Seems to me everything is right but it still doesn't work. – vic Jun 04 '16 at 15:14
  • Thanks for the additional information. It doesn't help in my specific situation, see my answer, but you still helped me understand the issue a lot better. – vic Jun 04 '16 at 15:30