I'm using a Server 2008 R2 domain controller, trying to troubleshoot a bug where password complexity requirements seem to be enabled, even though they are disabled in group policy. Some notes:
- I am changing the Password Policy at the domain level
- I have set no password age, set length requirement to a low number, and disabled complexity requirements, but I still am required to submit a complex password
- Local secpol settings are the same, although I don't think they should be taken into account
- I have ran gpupdate with the /force option and rebooted the system
- RSOP says the complexity requirement should be disabled.
I'm not sure if my GPO is not being applied (although RSOP says it is), or if there is another setting that is enabled (all my searching doesn't indicate one).
Any help would be appreciated.
Edit: Another odd thing: I booted into Active Directory Restore Mode to try to change the password of the local administrator account, and there is a complexity requirement on those local accounts also! Running secpol.msc from ADRS shows complexity should not be required, so I don't think it's an Active Directory problem or really a WIndows Security Policy thing. Perhaps something was corrupted? Unfortunately it doesn't seem like there's an easy way to see exactly what SAM (or LSASS?) is looking at to determine that complex passwords are required. Doesn't make any sense.
Best Answer
Check if you have custom password filter installed.
Normally when a custom password filter is not installed, it will have:
scecli rassfmInstalling and Registering a Password Filter DLL
https://msdn.microsoft.com/en-us/library/windows/desktop/ms721766%28v=vs.85%29.aspx