I have set up a new Windows Server 2008 R2 domain controller, and have attempted to configure the Default Domain Policy to permit all types of passwords. When I want to create a new user (just a normal user) in the Domain Users and Computers application, I am prevented from doing so because of password complexity/length reasons.
The password policy options configured in the Default Domain Policy are not defined in the Default Domain Controllers Policy, but having run the Group Policy Modelling Wizard these settings do not appear to be set for the Domain Controllers OU, should they not be inherited from the Default Domain policy? Additionally, if I link the Default Domain policy to the Domain Controllers OU, the Group Policy Modelling Wizard indicates the expected values for complexity etc, but I still cannot create a new user with my desired password. The domain is running at the Windows Server 2008 R2 functional level. Any thoughts?
Thanks!
Update: Here is the "Account policy/Password policy" Section from the GPM Wizard:
Policy Value Winning GPO
Enforce password history 0 Passwords Remembered Default Domain Policy
Maximum password age 0 days Default Domain Policy
Minimum password age 0 days Default Domain Policy
Minimum password length 0 characters Default Domain Policy
Passwords must meet complexity Disabled Default Domain Policy
These results were taken from running the GPM Wizard at the Domain Controllers OU. I have typed them out by hand as the system I am working on is standalone, this is why the table is not exactly the wording from the Wizard. Are there any other policies that could override the above? Thanks!
Best Answer
windows 2008 introduced the Password Settings Objects (PSO) for more granular control of the password policy. You might have case of conflicting PSO.
http://technet.microsoft.com/en-us/library/cc770848(v=ws.10).aspx