Domain Password Policy set but does not work. Powershell -Get command show different settings.

DWAVE Support 1 Reputation point
2022-10-27T17:51:18.13+00:00

I originally made modifications in Group Policy Management Editor for the Domain Password Policy settings and tried rebooting the PDC and doing a Gpupdate /force. Nothing worked. (This is a single domain controller environment.)

Additional steps I took:
I have gone into Group Policy Management Editor>Domains>(domain Name)>Default Domain Policy (right Click - Edit) Computer Configuration>Policies>Windows Settings>Security Settings>Account Policies>Password Policy and have modified the following fields:

Maximum password age: 90 Days
Minimum password age: 1 Days
Minimum password length: 12 Characters
Password must meet complexity requirements : enabled

Although these settings stay within the Group Policy Editor they do not seem to apply.
To verify, in Powershell (as administrator) I ran:

PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy (Results listed below)
ComplexityEnabled : False
DistinguishedName : DC=accounting,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 365.00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 664309cc-463b-4a6d-8b82-ed807418ba5d
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

So I tried setting the attributes via Powershell: (results below)

PS C:\Windows\system32> Set-ADDefaultDomainPasswordPolicy -Identity accounting.local -ComplexityEnabled $true -MinPasswordLength 12 -MinPasswordAge 1 -MaxPasswordAge 90

PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : True
DistinguishedName : DC=accounting,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 00:00:00.0000090
MinPasswordAge : 00:00:00.0000001
MinPasswordLength : 12
objectClass : {domainDNS}
objectGuid : 664309cc-463b-4a6d-8b82-ed807418ba5d
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

The attributes stayed for a few minutes then when I checked they reverted back to default:

PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : False
DistinguishedName : DC=accounting,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 365.00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 664309cc-463b-4a6d-8b82-ed807418ba5d
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

Does anyone understand what might be happening? Any help would be appreciated.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,961 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 20,461 Reputation points Microsoft Vendor
    2022-11-01T06:09:55.307+00:00

    Hello DWAVESupport-3173,

    Thank you for posting in our Q&A forum.

    For domain password policy, only the domain password policy within the Default Domain Policy object will work.

    Based on the description, did you mean your domain is a single domain with single domain controller in the entire forest, if so, would you please check the gpresult report on this Domain controller?

    Logon the PDC with domain Administrator account.
    Open CMD and run gpresult /h C:\gpo.html and click Enter.
    Open gpo.html and check the password policy under “Computer Details”.

    Also, please check if you configure FGPP for any user or user group?

    For more information about FGPP, please refer to link below.
    Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
    https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ==============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments