0

GPO Problem

So I’m having an issue configuring a password complexity group policy in my company’s network environment and I’m hoping someone with some solid experience with GPOs can help me out. We came in a while ago as salary workers to replace an out sourced IT department. I’m guessing that when they deployed these servers they never instituted a password complexity above what come’s default with server 2008. The end users are obviously using terribly unsecure passwords and this needs to change. The problem now is that it needs to be done very carefully since the company has grown considerably (several sites across Canada and US with over 300 end users).

My boss has commissioned me the project of setting up the password complexity rule but it’s proving to be a nightmare. I’ve tried several methods to institute it to end users as gradual as possible but nothing seems to work (I’ve actually only noticed recently). The problem is that I can’t just do it as one fell swoop like how you normally would. The reason being is I don’t want to knock everyone off the network (over 300 people all calling that they are locked out of their machines). Our client to site VPN protocol also authenticates using MSAD so that’s another reason I can just make it apply otherwise I cut off the access to almost all our remote workers. Anyways here is what I’ve done so far

• Created a GPO with Computer Configuration Security Setting that defined character limits, history, length, age, and
complexity. This was linked at the Domain level.
• The security filtering for the GPO applied to a small security group on ADS. In this security group existed all computer and
user objects of that office for the GPO to apply to.
• The GPO was enforced on GPMC and I opened a command line and used GPUPDATE on the server as well as the test workstation and
user where I was testing to see if the policy would apply.
• When I run GPRESULT /R I could see that the policy propagated to the server and workstation but it is being filtered out
saying either…

Filtering: (Not Applied) 
or 
Filtering: (Disabled) 

I honestly have no idea where to go from here to get these to work. I’ve double checked everything and it should be working as far as I can see. I’ve looked up certain sites concerning this problem where people have implied that complexity enabled can only be done for a GPO with security filtering to all authenticated users, not individual security groups. But that won’t work for me since this needs to be done incrementally over time. Can anyone shed some light on this issue?

2
Contributors
4
Replies
22
Views
4 Years
Discussion Span
Last Post by Omni
0

Sure...so with regard to this statement...

The problem is that I can’t just do it as one fell swoop like how you normally would.

You are correct, but there are some methods you can take to mitigate the issues, or at least address them in phases..

Ok...

Created a GPO with Computer Configuration Security Setting that defined character limits, history, length, age, and complexity. This was linked at the Domain level.

That's the method to deploy the password policy for the domain. If you were concerned about affecting all users, you just did!

With regard to...

The security filtering for the GPO applied to a small security group on ADS. In this security group existed all computer and user objects of that office for the GPO to apply to.

As you saw when you created the policy, the password settings are in the computer configuration section, so it doesnt apply to users as you would think. Password policy applies to computer objects!

--> here is something that may help you regarding password policy: Implementing a Password Policy

Ok, my recommendation....

Set all of your account to "Password Never Expires". You find that property on the Accounts tab on the user accounts. You can actually select all your users accounts, right click and set this property. This will ensure that the password policy age setting does not apply. Otherwise, all of your users that have a password age > than the setting configured will be impacted. Not a good thing to suddenly have all of those help desk calls come in at the same time.

The other settings are OK because they will only be enforced when the user tries to change their password voluntarily, or when you create a new user account.

Now to start enforcing the max password age, here is an option which at the very least is controlled.

schedule a group of users, maybe by department or last name and let them know when you will be removing the "password never expires" attribute. When you are ready to address those users, you can simply uncheck this setting and let the system do its magic, or at that time, you can check the property "Force user to change password at next logon".

For the next few days, deal with any password change related issues..

Then go to the next group of people.

Another option...

is to set the max password age > than the oldest password age in the domain. Then every few days, update the password policy by reducing the max age value a few days less. Again, you will impact users, but only a few at a time and the system should prompt them anyway. The downside is that this is not as controlled, but you dont have to set the accounts to "password never expires" , nor do you have to "force users to change password at next logon"...

Edited by JorgeM

0

As you saw when you created the policy, the password settings are in the computer configuration section, so it doesnt apply to users as you would think. Password policy applies to computer objects!

So I guess my question is, you cant actually filter out specific groups of people using security groups that the policy will only apply to? And thats because it applies only to computer objects and not the user objects?

Does that mean it has to apply to everyone at the same time and the only way of delegating groups of people instead of everyone at once is to enable all users with "password never expires" and uncheck small groups at a time?

There is still one thing I'm a bit confused about. Since its a computer configuration policy (like you said), why did it still not work when I also added in all the computer objects that group of people use into the membership list? Should it not have applied then?

Edited by Omni

2

So I guess my question is, you cant actually filter out specific groups of people using security groups that the policy will only apply to? And thats because it applies only to computer objects and not the user objects?

Correct because you really want the policy to be processed by the DCs. DCs have domain users. If the DCs cant read the policy, nothing gets applied. but you can implement Fine Grained Password Policies (FGPP) which is handled a little different. With FGPPs you can target security principals such as users and groups. FGPPs are not implemented via GPOs.

Does that mean it has to apply to everyone at the same time and the only way of delegating groups of people instead of everyone at once is to enable all users with "password never expires" and uncheck small groups at a time?

yes correct, unless you go with only applying FGPPs and not going with a domain policy. However, this requires a lot of managment and coordination. My experience is to go with the domain policy and work with users in a controled fashion. Even if you go with FGPPs you still have to roll it out in phases.... Again, my recommendation is domain policy.

There is still one thing I'm a bit confused about. Since its a computer configuration policy (like you said), why did it still not work when I also added in all the computer objects that group of people use into the membership list? Should it not have applied then?

As I mentioned before... for a domain password policy to apply, it must be read and applied to the domain controllers. If the security filtering preventing the DCs from reading the policy, there is no policy to apply to the user accounts the DCs host in their database.

Edited by JorgeM

0

Ok thank you so much for clearing that up! The guides you provided are also very helpful!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.