Todd, just to clarify my thinking ... I would say that Domain-wide password, account lockout and kerberos policies can only be set at the domain level. Password policies linked at the OU level are applied to the users configured on the local machine and are ignored when the users logs in with a domain account.
Pat, in AD 2003, you must be aware of these mandatory password policies: Complexity and Lenght. You set the lenght of a passowrd to 6 caracters, but you must configure (disabling or let it like it is) the Complexity of a password too. In your case, you could disable this feature if you do not need it. Wait for 5 minutes or do a gpupdate /force or simply reboot your DC to make sure these changes are made. Then create one user account and set a password of 6 characters. That would be worked. Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de Myrick, Todd (NIH/CC/DNA) Date: lun. 01/08/2005 16:15 À: [email protected] Objet : RE: [ActiveDir] Password Policy and Child Domain Domain password policies are only set at the domain level. You can't set them at the forest or site level. You can over-ride the domain policy for password policy on Workstations and Member Servers in the Domain, but you will have to house them in a OU. Todd ________________________________ From: Piper, Pat [mailto:[EMAIL PROTECTED] Sent: Monday, August 01, 2005 9:34 AM To: [email protected] Subject: [ActiveDir] Password Policy and Child Domain Hello, all - We recently upgraded our Windows 2000 native domain to Windows 2003 native [keene.edu] and created a child domain [student.keene.edu]. The root domain contains faculty and staff accounts and computer objects. The default domain policy requires complex passwords with 8 or more characters. We need to change that policy for the student domain - In order to do that I blocked policy inheritance at the student.keene.edu domain level and created a different password policy in the student.keene.edu default domain policy that does not require complex passwords and only requires a minimum of 6 characters. When I try and reset a user password in the student.keene.edu domain I get an error that the password does not meet the password policy requirement - check history, complexity, or minimum number of characters. The policy has replicated - it's not a latency issue. Any ideas what I can look for to find out why it seems like the root domain password policy is being applied to the child domain despite the fact that I blocked policy inheritance and created a different, less restrictive policy, for the child domain? Thanks, Pat ------------------------------------------------- Desktop & Server Services Keene State College Keene, NH 03435-2615 603 358-2172 When you hire people that are smarter than you are, you prove you are smarter than they are. -- R. H. Grant
<<winmail.dat>>
