cannot change local security policy

Posted: 04-23-2007, 09:03 PM
I want to change the "password must meet complexity requirements" of
my PC to "disabled". But the pushbutton is greyed. Why is it doing
that??

My Vista PC is in the active directory domain of my 2nd PC, running
windows server 2003. ( which I configured today. note to MSFT:
configing your systems is very difficult and confusing!! )

on the Server PC I was able to change the password policy and disable
complex names.

thanks,

-Steve

cannot change local security policy


Responses to "cannot change local security policy"

Jesper
Guest
Posts: n/a
 
RE: cannot change local security policy
Posted: 04-23-2007, 11:58 PM
Are you in the Local Security Policy editor (in Administrative tools) on the
Vista computer trying to change this? How did you configure the policy on the
server?
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Steve Richter" wrote:
> I want to change the "password must meet complexity requirements" of
> my PC to "disabled". But the pushbutton is greyed. Why is it doing
> that??
>
> My Vista PC is in the active directory domain of my 2nd PC, running
> windows server 2003. ( which I configured today. note to MSFT:
> configing your systems is very difficult and confusing!! )
>
> on the Server PC I was able to change the password policy and disable
> complex names.
>
> thanks,
>
> -Steve
>
>
Steve Richter
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 12:48 AM
On Apr 23, 7:58 pm, Jesper <Jes...@discussions.microsoft.com> wrote:
> Are you in the Local Security Policy editor (in Administrative tools) on the
> Vista computer trying to change this? How did you configure the policy on the
> server?
On the server I had the "password must meet complexity or whatever"
disabled on either the "default domain security policy" or the
"default domain controller security policy" . Now I have changed to
"disabled" in both and I can now set to a simple password on the
client.

what kind of madmen designed this?? what is the difference between
"default domain" and "default domain controller"???

-Steve



Jesper
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 04:50 AM
With all due respect, you need this:
http://www.amazon.com/gp/product/047...otectyourwi-20

The Default Domain Policy is linked to the domain itself. Password policy
settings you make in there apply to all computers in the domain, except for
domain controllers (if the same settings are made in the Default Domain
Controllers Policy). Since you were managing the password policy using the
Default Domain Policy your password settings in Local Security Policy were
greyed out. You told the computer that you want the domain settings to rule.


The Default Domain Controllers Policy is linked to the Domain Controllers
OU. Since policy is processed in the LSDOU (Local, Site, Domain, OU) order,
that policy will override settings made in the Default Domain Policy for the
DCs.

Really, you need to read Jeremy's book if you are going to be playing with
Group Policy. You may want to read one of mine too to understand the security
settings.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Steve Richter" wrote:
> On Apr 23, 7:58 pm, Jesper <Jes...@discussions.microsoft.com> wrote:
> > Are you in the Local Security Policy editor (in Administrative tools) on the
> > Vista computer trying to change this? How did you configure the policy on the
> > server?
>
> On the server I had the "password must meet complexity or whatever"
> disabled on either the "default domain security policy" or the
> "default domain controller security policy" . Now I have changed to
> "disabled" in both and I can now set to a simple password on the
> client.
>
> what kind of madmen designed this?? what is the difference between
> "default domain" and "default domain controller"???
>
> -Steve
>
>
>
>
Steve Antonio [MSFT]
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 01:18 PM
Because the Vista machine is doinam joined, then the Default Domain
Policy overrides the Local policy. Create a new OU and move the
computer account for you workstation to that new OU. Then you'll want
to create a new group policy object on that OU so that it applies to
that workstation. Modify the GPO to change the settings you wish.

You should never make changes to the Default Domain or Default Domain
Controller policies, but rather create new ones.

Also, why would you want to disable the password complexity
requirements? You are opening yourself up to allowing somebody to
bruce force attack the accounts by using simple passwords. Much easier
to determine the passwords if they are not complex.

Just a though.

Steve Antonio, CISSP

This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.


On 23 Apr 2007 14:03:42 -0700, Steve Richter
<StephenRichter@gmail.com> wrote:
>I want to change the "password must meet complexity requirements" of
>my PC to "disabled". But the pushbutton is greyed. Why is it doing
>that??
>
>My Vista PC is in the active directory domain of my 2nd PC, running
>windows server 2003. ( which I configured today. note to MSFT:
>configing your systems is very difficult and confusing!! )
>
>on the Server PC I was able to change the password policy and disable
>complex names.
>
>thanks,
>
>-Steve
Jesper
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 06:48 PM
With all due respect Steve, the built-in password complexity filter is so
weak it certainly does not rule out guessing passwords. "Seattle1" would
qualify as a "strong" password under the built-in filter, as do a myriad of
other weak ones. If you really want to improve password strength, you need to
go for length.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Steve Antonio [MSFT]" wrote:
> Because the Vista machine is doinam joined, then the Default Domain
> Policy overrides the Local policy. Create a new OU and move the
> computer account for you workstation to that new OU. Then you'll want
> to create a new group policy object on that OU so that it applies to
> that workstation. Modify the GPO to change the settings you wish.
>
> You should never make changes to the Default Domain or Default Domain
> Controller policies, but rather create new ones.
>
> Also, why would you want to disable the password complexity
> requirements? You are opening yourself up to allowing somebody to
> bruce force attack the accounts by using simple passwords. Much easier
> to determine the passwords if they are not complex.
>
> Just a though.
>
> Steve Antonio, CISSP
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Use of included script samples are subject to the terms
> specified at http://www.microsoft.com/info/cpyright.htm
> Note: For the benefit of the community-at-large, all responses to this
> message are best directed to the newsgroup/thread from which they
> originated.
>
>
> On 23 Apr 2007 14:03:42 -0700, Steve Richter
> <StephenRichter@gmail.com> wrote:
>
> >I want to change the "password must meet complexity requirements" of
> >my PC to "disabled". But the pushbutton is greyed. Why is it doing
> >that??
> >
> >My Vista PC is in the active directory domain of my 2nd PC, running
> >windows server 2003. ( which I configured today. note to MSFT:
> >configing your systems is very difficult and confusing!! )
> >
> >on the Server PC I was able to change the password policy and disable
> >complex names.
> >
> >thanks,
> >
> >-Steve
>
Steve Antonio [MSFT]
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 07:44 PM
True Jesper...good point.

Here are some links I have kept handy that talk about strong
passwords.

What you should know about strong passwords:

http://www.microsoft.com/technet/sec...nistrators.doc

http://www.microsoft.com/technet/sec...g/tcgch00.mspx

http://www.microsoft.com/technet/sec...hg/sgch00.mspx

http://www.microsoft.com/technet/sec...k/default.mspx

http://www.microsoft.com/resources/d...sword_tips.asp


Password Best Practices:

http://www.microsoft.com/resources/d...rd_protect.asp


Accounts Passwords and Lockout Policies:

http://www.microsoft.com/technet/pro.../bpactlck.mspx


Account Lockout and Management Tools:

http://www.microsoft.com/downloads/d...displaylang=en

Hope this helps.


On Tue, 24 Apr 2007 11:48:02 -0700, Jesper
<Jesper@discussions.microsoft.com> wrote:
>With all due respect Steve, the built-in password complexity filter is so
>weak it certainly does not rule out guessing passwords. "Seattle1" would
>qualify as a "strong" password under the built-in filter, as do a myriad of
>other weak ones. If you really want to improve password strength, you need to
>go for length.
>---
>Your question may already be answered in Windows Vista Security:
>http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
>"Steve Antonio [MSFT]" wrote:
>
>> Because the Vista machine is doinam joined, then the Default Domain
>> Policy overrides the Local policy. Create a new OU and move the
>> computer account for you workstation to that new OU. Then you'll want
>> to create a new group policy object on that OU so that it applies to
>> that workstation. Modify the GPO to change the settings you wish.
>>
>> You should never make changes to the Default Domain or Default Domain
>> Controller policies, but rather create new ones.
>>
>> Also, why would you want to disable the password complexity
>> requirements? You are opening yourself up to allowing somebody to
>> bruce force attack the accounts by using simple passwords. Much easier
>> to determine the passwords if they are not complex.
>>
>> Just a though.
>>
>> Steve Antonio, CISSP
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Use of included script samples are subject to the terms
>> specified at http://www.microsoft.com/info/cpyright.htm
>> Note: For the benefit of the community-at-large, all responses to this
>> message are best directed to the newsgroup/thread from which they
>> originated.
>>
>>
>> On 23 Apr 2007 14:03:42 -0700, Steve Richter
>> <StephenRichter@gmail.com> wrote:
>>
>> >I want to change the "password must meet complexity requirements" of
>> >my PC to "disabled". But the pushbutton is greyed. Why is it doing
>> >that??
>> >
>> >My Vista PC is in the active directory domain of my 2nd PC, running
>> >windows server 2003. ( which I configured today. note to MSFT:
>> >configing your systems is very difficult and confusing!! )
>> >
>> >on the Server PC I was able to change the password policy and disable
>> >complex names.
>> >
>> >thanks,
>> >
>> >-Steve
>>
Jesper
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 08:12 PM
Thanks Steve, but many of those links seem to have broken in posting.

I'm quite partial to this one actually: :-)
http://www.microsoft.com/technet/com...mt/sm1005.mspx

There is also this:
http://www.microsoft.com/technet/com...mt/sm1004.mspx

....chapter 11 here:
http://www.amazon.com/exec/obidos/AS...otectyourwi-20

....and of course, the bible on passwords:
http://www.amazon.com/exec/obidos/AS...otectyourwi-20


---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Steve Antonio [MSFT]" wrote:
> True Jesper...good point.
>
> Here are some links I have kept handy that talk about strong
> passwords.
>
> What you should know about strong passwords:
>
> http://www.microsoft.com/technet/sec...nistrators.doc
>
> http://www.microsoft.com/technet/sec...g/tcgch00.mspx
>
> http://www.microsoft.com/technet/sec...hg/sgch00.mspx
>
> http://www.microsoft.com/technet/sec...k/default.mspx
>
> http://www.microsoft.com/resources/d...sword_tips.asp
>
>
> Password Best Practices:
>
> http://www.microsoft.com/resources/d...rd_protect.asp
>
>
> Accounts Passwords and Lockout Policies:
>
> http://www.microsoft.com/technet/pro.../bpactlck.mspx
>
>
> Account Lockout and Management Tools:
>
> http://www.microsoft.com/downloads/d...displaylang=en
>
> Hope this helps.
>
>
> On Tue, 24 Apr 2007 11:48:02 -0700, Jesper
> <Jesper@discussions.microsoft.com> wrote:
>
> >With all due respect Steve, the built-in password complexity filter is so
> >weak it certainly does not rule out guessing passwords. "Seattle1" would
> >qualify as a "strong" password under the built-in filter, as do a myriad of
> >other weak ones. If you really want to improve password strength, you need to
> >go for length.
> >---
> >Your question may already be answered in Windows Vista Security:
> >http://www.amazon.com/gp/product/047...otectyourwi-20
> >
> >
> >"Steve Antonio [MSFT]" wrote:
> >
> >> Because the Vista machine is doinam joined, then the Default Domain
> >> Policy overrides the Local policy. Create a new OU and move the
> >> computer account for you workstation to that new OU. Then you'll want
> >> to create a new group policy object on that OU so that it applies to
> >> that workstation. Modify the GPO to change the settings you wish.
> >>
> >> You should never make changes to the Default Domain or Default Domain
> >> Controller policies, but rather create new ones.
> >>
> >> Also, why would you want to disable the password complexity
> >> requirements? You are opening yourself up to allowing somebody to
> >> bruce force attack the accounts by using simple passwords. Much easier
> >> to determine the passwords if they are not complex.
> >>
> >> Just a though.
> >>
> >> Steve Antonio, CISSP
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights. Use of included script samples are subject to the terms
> >> specified at http://www.microsoft.com/info/cpyright.htm
> >> Note: For the benefit of the community-at-large, all responses to this
> >> message are best directed to the newsgroup/thread from which they
> >> originated.
> >>
> >>
> >> On 23 Apr 2007 14:03:42 -0700, Steve Richter
> >> <StephenRichter@gmail.com> wrote:
> >>
> >> >I want to change the "password must meet complexity requirements" of
> >> >my PC to "disabled". But the pushbutton is greyed. Why is it doing
> >> >that??
> >> >
> >> >My Vista PC is in the active directory domain of my 2nd PC, running
> >> >windows server 2003. ( which I configured today. note to MSFT:
> >> >configing your systems is very difficult and confusing!! )
> >> >
> >> >on the Server PC I was able to change the password policy and disable
> >> >complex names.
> >> >
> >> >thanks,
> >> >
> >> >-Steve
> >>
>
Steve Richter
Guest
Posts: n/a
 
Re: cannot change local security policy
Posted: 04-24-2007, 10:12 PM
On Apr 24, 12:50 am, Jesper <Jes...@discussions.microsoft.com> wrote:
> With all due respect, you need this:http://www.amazon.com/gp/product/047...otectyourwi-20
>
> The Default Domain Policy is linked to the domain itself. Password policy
> settings you make in there apply to all computers in the domain, except for
> domain controllers (if the same settings are made in the Default Domain
> Controllers Policy). Since you were managing the password policy using the
> Default Domain Policy your password settings in Local Security Policy were
> greyed out. You told the computer that you want the domain settings to rule.
>
> The Default Domain Controllers Policy is linked to the Domain Controllers
> OU. Since policy is processed in the LSDOU (Local, Site, Domain, OU) order,
> that policy will override settings made in the Default Domain Policy for the
> DCs.
>
> Really, you need to read Jeremy's book if you are going to be playing with
> Group Policy. You may want to read one of mine too to understand the security
> settings.
will do. thanks for the help. I understand it better now.

-Steve



 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
About Local Security Policy Zhang Windows Vista Security 5 05-18-2007 07:12 PM
No Local Security Policy Alias Windows Vista Networking & Sharing 1 05-03-2007 12:35 AM
Local Security Policy Alan Windows Vista Security 2 06-06-2006 02:17 PM
Local Security Policy - Options Mke Edwards Windows XP Configuration & Management 0 02-17-2006 02:29 PM
Local security policy Chris Windows XP Security & Administration 10 06-07-2004 08:37 AM