Re: Good password change fails due to complexity.

Re: Good password change fails due to complexity.
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Re: Good password change fails due to complexity. Paul Adare 09-01-2005
Posted by Paul Adare on September 1, 2005, 11:46 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Windows XP Pro on a 2003 Server domain.
>
> ctrl+alt+del to change password. I enter the current valid password
> and then a new password (ie BERk3-nod) and it fails with the message
> that it doesn't meet complexity requirements. The password does meet
> the complexity requirements.
>
> I set the complexity requirements in both domain and local Group Policy
> Objects to "disabled". The Group Policy Results show it as disabled.
> Still, Windows won't let me change the password due to complexity.
>
> I called Microsoft, but they said the would not provide support for
> security or passwords. Sheesh, tout the security of your product but
> deny support for problems with security.
>
> Any ideas?
>

Yeah, you don't understand how Group Policy works. Setting those
settings to disabled means, "I won't make any changes to those policy
settings. Whatever they currently are, I'll leave them alone". Whatever
the original complexity settings were, they are still being enforced, as
you've discovered. You need to set those policy settings to their
"zero" levels, not disable them.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

Posted by on September 1, 2005, 12:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I understand the aspect of GPO that the "not configured" choice doesn't
override an already applied policy. You need to set it to a value in
order to over write an existing value.

All items pertaining to the password policy in GPO are set to apply.
Everything as been set to zero or disabled. (0 history, 0 Max age, 0
min age, 0 length, disabled complexity). The values _are_ being
applied to the desktop through group policies.

Still, really the issue is not trying to get the policy disabled. I
like the password complexity policy.

The problem is that it's not correctly evaluating the new password as
meeting policy requirements. I even tried "xG-rT-2xflwe" as a
password, and it says that's not complex enough.


Posted by Roger Abell [MVP] on September 1, 2005, 10:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Have you checked the domain health with such as netdiag, dcdiag
and if those show clean then checked that AD and FRS are replicating
correctly?

>I understand the aspect of GPO that the "not configured" choice doesn't
> override an already applied policy. You need to set it to a value in
> order to over write an existing value.
>
> All items pertaining to the password policy in GPO are set to apply.
> Everything as been set to zero or disabled. (0 history, 0 Max age, 0
> min age, 0 length, disabled complexity). The values _are_ being
> applied to the desktop through group policies.
>
> Still, really the issue is not trying to get the policy disabled. I
> like the password complexity policy.
>
> The problem is that it's not correctly evaluating the new password as
> meeting policy requirements. I even tried "xG-rT-2xflwe" as a
> password, and it says that's not complex enough.
>



Posted by on September 4, 2005, 3:55 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
netdiag and dcdiag come up good. Active directory and FRS look good.
GPO is applying correctly.

It's weird, even with GPO applying no password complexity and zero
password length WinXP is still evaluating the password as needing to be
a complex one. Even if the password is a complex password, it fails.
Something is really screwed up here.

I hate to have to call Microsoft and pay them to tell me how to fix
this, because it seems like it's a bug of some sorts.

Buster


Posted by Roger Abell [MVP] on September 4, 2005, 7:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Domain accounts, right - so WinXP is not really evaluating but just
acting as the intermediary.
It is not accepting even complex passwords, and this behavior is
uniform for all of the client systems?

> netdiag and dcdiag come up good. Active directory and FRS look good.
> GPO is applying correctly.
>
> It's weird, even with GPO applying no password complexity and zero
> password length WinXP is still evaluating the password as needing to be
> a complex one. Even if the password is a complex password, it fails.
> Something is really screwed up here.
>
> I hate to have to call Microsoft and pay them to tell me how to fix
> this, because it seems like it's a bug of some sorts.
>
> Buster
>



Similar ThreadsPosted
Good password change fails due to complexity. September 1, 2005, 11:34 am
Change password complexity July 14, 2008, 6:26 pm
Password Complexity December 8, 2005, 12:32 pm
Password complexity May 12, 2008, 3:02 pm
Policy for Password Complexity July 21, 2006, 1:25 pm
set a stricter password complexity January 30, 2009, 8:12 am
MSBA - Password Complexity Checking July 7, 2005, 11:15 am
Password complexity in W2K Pro/Serv network September 12, 2005, 2:01 pm
Re: Password complexity in W2K Pro/Serv network October 4, 2005, 2:35 am
Password complexity vs Brute Force April 14, 2005, 10:04 pm

The site map in XML format XML site map

Contact Us | Privacy Policy