There is a lot of confusion on how Password Policies should be implemented on an Active Directory domain. In this article, I wanted to provide some tips on how to troubleshoot Password Policy settings, especially for those situations where you know you have correctly defined the policy, but yet still find that the settings are not being applied as expected.
Here are some troubleshooting tips when your domain password policy doesn’t appear to apply to your domain users:
- Domain Controllers ignore password policy settings defined in GPOs linked the Domain Controllers OU. Make sure your password policy GPO is linked at the domain object level. Account policy is propagated via the Domain Controller holding the PDC Emulator role, by writing the values to the root of the Domain Naming Context (
DC=domain,DC=tld
). - Check for common issues that affect default policy inheritance behavior.
- Link Order – the precedence order for GPOs linked to a given container. The GPO link with Link Order of 1 has highest precedence on that container.
- Block Inheritance – the ability to prevent an OU or domain from inheriting GPOs from any of its parent container. Note that Enforced GPO links will always be inherited.
- Enforcement – (previously known as “No Override”) the ability to specify that a GPO should take precedence over any GPOs that are linked to child containers.
- Link Status – determines if a given GPO link is processed or not for the container to which it is linked.
- Check whether or not the Domain Controllers OU is blocking inheritance. This configuration will prevent the DCs from reading the domain object level linked policies.
- Make sure that all of your Domain Controller objects are still stored in the Domain Controllers OU, specifically and especially the DC holding the PDC Emulator Role.
- Verify that there are no replication problems in the domain.
- Password Policies applied at the OU level will apply to the computer objects in the linked OU. Password Policies are computer configuration settings, not user configuration settings. If you apply password policy at the OU level, the local users stored on the computers in the linked OU are the only user account affected by the GPO.
- If you want to apply different policies to specific users, consider using Fine Grained Password Policies (FGGP). Refer to Microsoft’s TechNet article for more information: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
- If you don’t want the domain password policy affecting the local users stored in the SAM database on the domain computers, you could block inheritance on the OUs or, create a GPO such as ‘Client Device Password Policy’ to over rule the domain password policy at client computer OU level.
Here is another common error message for users when Password Policy is enabled: “The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.”
One thing that most people forget is that when complexity is enabled, the password cannot contain the user’s entire Account Name or entire Full Name. The Account Name and Full Name are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs.
If any of these delimiters are found, the Account Name or Full Name are split and all sections are verified not to be included in the password. There is no check for any single character or any three characters in succession.
The tips listed above generally cover most of the password policy issues that you may encounter. If you are still experiencing issues after this article, I would suggest that you reach out to Microsoft technical support for additional guidance, prior to re-installing Active Director or introducing additional changes that may cause more AD related issues.