So I’m having an issue configuring a password complexity group policy in my company’s network environment and I’m hoping someone with some solid experience with GPOs can help me out. We came in a while ago as salary workers to replace an out sourced IT department. I’m guessing that when they deployed these servers they never instituted a password complexity above what come’s default with server 2008. The end users are obviously using terribly unsecure passwords and this needs to change. The problem now is that it needs to be done very carefully since the company has grown considerably (several sites across Canada and US with over 300 end users).
My boss has commissioned me the project of setting up the password complexity rule but it’s proving to be a nightmare. I’ve tried several methods to institute it to end users as gradual as possible but nothing seems to work (I’ve actually only noticed recently). The problem is that I can’t just do it as one fell swoop like how you normally would. The reason being is I don’t want to knock everyone off the network (over 300 people all calling that they are locked out of their machines). Our client to site VPN protocol also authenticates using MSAD so that’s another reason I can just make it apply otherwise I cut off the access to almost all our remote workers. Anyways here is what I’ve done so far
• Created a GPO with Computer Configuration Security Setting that defined character limits, history, length, age, and
complexity. This was linked at the Domain level.
• The security filtering for the GPO applied to a small security group on ADS. In this security group existed all computer and
user objects of that office for the GPO to apply to.
• The GPO was enforced on GPMC and I opened a command line and used GPUPDATE on the server as well as the test workstation and
user where I was testing to see if the policy would apply.
• When I run GPRESULT /R I could see that the policy propagated to the server and workstation but it is being filtered out
Filtering: (Not Applied) or Filtering: (Disabled)
I honestly have no idea where to go from here to get these to work. I’ve double checked everything and it should be working as far as I can see. I’ve looked up certain sites concerning this problem where people have implied that complexity enabled can only be done for a GPO with security filtering to all authenticated users, not individual security groups. But that won’t work for me since this needs to be done incrementally over time. Can anyone shed some light on this issue?