Changes are not applied when you change the password policy
This article helps solve an issue where the changes aren't applied as expected when you change the password policy.
Applies to: Windows 10 - all editions, Windows Server 2012 R2
Original KB number: 269236
When you change the password policy, the changes are not applied as expected.
This issue can occur in either of the following scenarios:
- The Block Policy Inheritance option is enabled on the Domain Controllers organizational unit.
- The password policy is not set in the Default Domain policy.
To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:
- Start the Active Directory Users and Computers snap-in.
- Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
- On the domain controllers, run the following command: secedit/refreshpolicy machine_policy/enforce
If this issue occurs because you did not set password policy in the Default Domain policy, set all password policies in the Default Domain policy.
This behavior is by design.
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.