GPO password settings not applied in full

Daniel 81 Reputation points
2024-07-18T15:10:23.3966667+00:00

Hello,

I have a small issue with a GPO settings being applied to the device. I have changed some password settings in Default Domain Policy and when I run gpupdate /force or restart the device the settings don't change in full.

What changed is Minimum password length and Maximum password history. Settings like Enforce password history were never set and somehow I have this set to 42 days. And I have noticed that on some devices the value Minimum password length audit is set to 8 characters instead and Minimum password length is set to 0.

Does anyone know how can I figure out from where these settings are coming? I have went over all the settings that are applied with all other GPO's and there is no other GPO's that would contain password settings.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,191 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,619 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 11,315 Reputation points Microsoft Vendor
    2024-07-19T07:18:14.9966667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Here are a few steps you can take to troubleshoot and identify the source of these settings:

    1.Group Policy Results Wizard: Use the Group Policy Results Wizard to generate a report on the affected device. This tool will show you which policies are being applied to the device and from where they are coming. Here's how you can use it:

    (1)On the affected device, open Command Prompt or PowerShell as an administrator.

    (2)Type gpresult /h C:\gpresult.html and press Enter. This command generates a detailed HTML report of applied policies.

    (3)Open the generated gpresult.html file in a web browser to view the results.

    (4)Look for the sections related to password policies (like Minimum password length, Enforce password history, etc.) to see which GPOs are setting these policies.

    2.Group Policy Management Console (GPMC):

    (1)Open the GPMC on your domain controller or a machine with the Remote Server Administration Tools (RSAT) installed.

    (2)Navigate to "Group Policy Results" under "Group Policy Management".

    (3)Enter the computer name of the affected device to run a simulation of applied GPOs and see which ones affect password policies.

    3.Check Local Policies: Sometimes local policies can override domain policies. Ensure that no local policies on the affected devices are conflicting with domain policies.

    4.Check Security Filtering and OU Linking: Verify that the affected device is in the correct Organizational Unit (OU) and that no security filtering is accidentally applying additional policies.

    5.Review Event Logs: Look in the Event Viewer logs on the affected device for any Group Policy-related errors or warnings that might shed light on the issue.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.