In my Samba Active Directory Domain, I want to allow passwords that are long (passphrase) and based only on small caps and special characters, i.e. no requirement for large caps and numbers.
In order to do so, I created a new domain wide GPO for authenticated users where I disabled the complexity check (Password must meet password complexity requirement
) and instead increased the minimum password length to 10.
I ran gpupdate
to make sure the policy was distributed to the computer I'm sitting on. Unfortunately, this didn't have the expected effect, I still get the error message that my new password is not in line with the password policy.
A quick check using gpresult /v
reveals the following information:
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 15
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 10
Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
What went wrong?
Update: Since a few commenters suggested I should do it via the Default Policy, I did that. The result remains exactly the same. I am attaching a screenshot of the policy just to avoid any doubt.
And here is a screenshot of the local security policy which confirms that the GPO was indeed applied. It looks fine but I can still create 8 digit passwords for domain users and they must include large caps and a number.
Best Answer
Ok, this caught me completely off guard. While a Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety. The solution is to turn off complexity directly on the Samba server, using
I have not initially declared that I'm using Samba so the other answers and comments are entirely valid for a Microsoft-only domain. I will adapt my question to reflect the use of Samba.
Update for clarification: As Joe pointed out, the GPO for the password settings is applied to the domain controller itself and not the clients like with regular GPOs. And that is the reason why this GPO could not take effect on a Samba DC. Samba can only serve GPOs, not apply them to itself.