Password Complexity Problem

Hi there,
I applied the securedc template to one of my DC's
which also enabled password complexity requirements which
is NOT something I want in my environment. The policy has
already replicated to my other DC's 5 in all. I know have
users reporting that their passwords have expired and
cannot log on. I cannot change their passwords back
either because of the requirments. I went into the
Default Domain Policy and changed all the password
settings to either disabled or not applied. Rebooted
every DC and am still having the problem with the
passwords. Is there something else that needs to get done
to disable all the password complexity requirements? Is
there something in the registry that also has to be
changed? Please help, In a dire situation.

Thanks in advance.

BTW... I also set 'Enforce Password History' to 0
and 'Minimum password length' to 0. As I read in another
post.
>-----Original Message-----
>Hi there,
> I applied the securedc template to one of my DC's
>which also enabled password complexity requirements which
>is NOT something I want in my environment. The policy
has
>already replicated to my other DC's 5 in all. I know
have
>users reporting that their passwords have expired and
>cannot log on. I cannot change their passwords back
>either because of the requirments. I went into the
>Default Domain Policy and changed all the password
>settings to either disabled or not applied. Rebooted
>every DC and am still having the problem with the
>passwords. Is there something else that needs to get
done
>to disable all the password complexity requirements? Is
>there something in the registry that also has to be
>changed? Please help, In a dire situation.
>
>Thanks in advance.
>.
>

Not sure if you have already tried this but go to your DC and start, run, secpol.msc. Under account policy/password policy change "passwords must meet complexity requirements" to disabled and test from a workstation by forcing the policy to the computer (open a cmd prompt and type gpupdate /force) then try to reset the password.

Bradley Fox
Sr. Network Administrator
MCSE - W2K

>>> MC<(E-Mail Removed)> 07/29/04 09:58AM >>>
Hi there,
I applied the securedc template to one of my DC's
which also enabled password complexity requirements which
is NOT something I want in my environment. The policy has
already replicated to my other DC's 5 in all. I know have
users reporting that their passwords have expired and
cannot log on. I cannot change their passwords back
either because of the requirments. I went into the
Default Domain Policy and changed all the password
settings to either disabled or not applied. Rebooted
every DC and am still having the problem with the
passwords. Is there something else that needs to get done
to disable all the password complexity requirements? Is
there something in the registry that also has to be
changed? Please help, In a dire situation.

Thanks in advance.

Apply DC security.inf template. Read

http://support.microsoft.com/default...b;en-us;816585
HOW TO: Apply Predefined Security Templates in Windows Server 2003

http://support.microsoft.com/default...b;en-us;816580
HOW TO: Analyze System Security in Windows Server 2003

Brad,
Thanks for the repsonse, however I have tried it all.
It's just not taking effect. Any other ideas?
>-----Original Message-----
>Not sure if you have already tried this but go to your DC
and start, run, secpol.msc. Under account policy/password
policy change "passwords must meet complexity
requirements" to disabled and test from a workstation by
forcing the policy to the computer (open a cmd prompt and
type gpupdate /force) then try to reset the password.
>
>Bradley Fox
>Sr. Network Administrator
>MCSE - W2K
>
>>>> MC<(E-Mail Removed)> 07/29/04
09:58AM >>>
>Hi there,
> I applied the securedc template to one of my DC's
>which also enabled password complexity requirements which
>is NOT something I want in my environment. The policy
has
>already replicated to my other DC's 5 in all. I know
have
>users reporting that their passwords have expired and
>cannot log on. I cannot change their passwords back
>either because of the requirments. I went into the
>Default Domain Policy and changed all the password
>settings to either disabled or not applied. Rebooted
>every DC and am still having the problem with the
>passwords. Is there something else that needs to get
done
>to disable all the password complexity requirements? Is
>there something in the registry that also has to be
>changed? Please help, In a dire situation.
>
>Thanks in advance.
>

1. Never apply any template to anything without knowing what it actually
does. Always make a backup of the Default Domian Policy or never change it
at all and use a copy of it to make changes and set the priority order. you
can always delete the copy to quickly return to the original untouched copy.

2. When you make changes again your have to wait for replication to
replicate the new changes. Rebooting doesn't make replication happen (it
happens on a timer)and can even delay it because they have to running and
can not replicate if they are in the middle of rebooting.

If it still does work after replication, see if others here have better
ideas,...I admit AD isn't my best "area".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"MC" <(E-Mail Removed)> wrote in message
news:673701c47574$1878e9d0$(E-Mail Removed)...
> Hi there,
> I applied the securedc template to one of my DC's
> which also enabled password complexity requirements which
> is NOT something I want in my environment. The policy has
> already replicated to my other DC's 5 in all. I know have
> users reporting that their passwords have expired and
> cannot log on. I cannot change their passwords back
> either because of the requirments. I went into the
> Default Domain Policy and changed all the password
> settings to either disabled or not applied. Rebooted
> every DC and am still having the problem with the
> passwords. Is there something else that needs to get done
> to disable all the password complexity requirements? Is
> there something in the registry that also has to be
> changed? Please help, In a dire situation.
>
> Thanks in advance.

This is way to messy and way out of control. I have users
trying to log on and they are getting "your password has
expired" messages and such. I am going to do an
authoritative restore from before I applied the template,
I think that should work, any reservations about it????
>-----Original Message-----
>1. Never apply any template to anything without knowing
what it actually
>does. Always make a backup of the Default Domian Policy
or never change it
>at all and use a copy of it to make changes and set the
priority order. you
>can always delete the copy to quickly return to the
original untouched copy.
>
>2. When you make changes again your have to wait for
replication to
>replicate the new changes. Rebooting doesn't make
replication happen (it
>happens on a timer)and can even delay it because they
have to running and
>can not replicate if they are in the middle of rebooting.
>
>If it still does work after replication, see if others
here have better
>ideas,...I admit AD isn't my best "area".
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>"MC" <(E-Mail Removed)> wrote in
message
>news:673701c47574$1878e9d0$(E-Mail Removed)...
>> Hi there,
>> I applied the securedc template to one of my DC's
>> which also enabled password complexity requirements
which
>> is NOT something I want in my environment. The policy
has
>> already replicated to my other DC's 5 in all. I know
have
>> users reporting that their passwords have expired and
>> cannot log on. I cannot change their passwords back
>> either because of the requirments. I went into the
>> Default Domain Policy and changed all the password
>> settings to either disabled or not applied. Rebooted
>> every DC and am still having the problem with the
>> passwords. Is there something else that needs to get
done
>> to disable all the password complexity requirements? Is
>> there something in the registry that also has to be
>> changed? Please help, In a dire situation.
>>
>> Thanks in advance.
>
>
>.
>

"MC" <(E-Mail Removed)> wrote in message
news:6c6401c475af$68be3900$(E-Mail Removed)...
> This is way to messy and way out of control. I have users
> trying to log on and they are getting "your password has
> expired" messages and such. I am going to do an
> authoritative restore from before I applied the template,
> I think that should work, any reservations about it????

You mean a System State restore? I think that would work but I'd be more
comfortable telling you that if the other guys watching the thread can back
me up on that. Like I said,..AD isn't my best area.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Well I did the authoritative restore of AD and that did
the trick for me. Thanks for all your help.
>-----Original Message-----
>"MC" <(E-Mail Removed)> wrote in
message
>news:6c6401c475af$68be3900$(E-Mail Removed)...
>> This is way to messy and way out of control. I have
users
>> trying to log on and they are getting "your password has
>> expired" messages and such. I am going to do an
>> authoritative restore from before I applied the
template,
>> I think that should work, any reservations about it????
>
>You mean a System State restore? I think that would work
but I'd be more
>comfortable telling you that if the other guys watching
the thread can back
>me up on that. Like I said,..AD isn't my best area.
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>.
>