Ask the Expert

Revert policy to the initial group policy

I have three DCs in my domain in a single site. I had implemented a Group Policy in the domain for Account Policies in Default Domain Policy | Windows Settings | Security Settings | Account Policies | Password Policy for the following:

Enforce password history - 8
Maximum password age - 42
Minimum password age - 30
Minimum password length - 6
Passwords must meet complexity requirements - Enabled
Store password using reversible encryption for all users in the domain? Enabled

However, for some reason I have to revert my password policy. I really need this since one of my users needs a recent five-lettered password. Whenever I attempt to change the password, an error (shown below) is displayed:

"Windows cannot complete the password change for userX because:
The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."

The current configuration settings of all three security policies (Domain Security Policy, Domain Controller Security Policy and Local Security Policy) are as follows:
Enforce password history - not defined
Maximum password age - not defined
Minimum password age - not defined
Minimum password length - not defined
Passwords must meet complexity requirements - not defined
Store password using reversible encryption for all users in the domain - not defined

I have also tried disabling the policy but I have been unsuccessful. Please help me revert the policy to the initial group policy that was without any restrictions.

    Requires Free Membership to View

The only Group Policy Object that can affect the Account Policy settings is the Default Domain Policy. The system ignores Account Policy settings made anywhere else. The local settings you see in the specialized consoles in the Administrative Tools menu are overridden by the Default Domain GPO.

So, the first thing to do is change the Default Domain GPO policy settings for the Account Policies to the settings you want and run "secedit/refreshpolicy machine_policy." Then shutdown and restart the client's machine and see if he is now able to change his password to the five-character password.

If he cannot, make sure that he is connected to the network. If he logs on with cached credentials, then your policy change will not be seen.

This was first published in July 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: