Back in 2009 I published a very popular article "The Low-Down on Password Policies" which has been viewed by thousands of IT Professionals and referenced by application vendors in online documentation such as SysOp Tools Software.
http://clintboessen.blogspot.com.au/2009/12/low-down-on-password-policies.html
In this post we are going to talk about password policies further and cover off what appears to be a bug but is actually "by design".
My customer had a handful of domain controllers with a single 2008 R2 domain controller and three Server 2012 R2 domain controllers. The PDC Emulator resides on Server 2008 R2.
The Server 2008 R2 domain controller was applying the password policy correctly however the 2012 R2 domain controllers were not (or so I thought).
Running an rsop.msc on the 2008 R2 domain controller (the PDC) shows the policy being applied from the Default Domain Policy.
The 2012 R2 domain controllers the resultant set of policy displayed no policies being applied.
The same was experienced running an "gpresult /v" on the 2008 R2 or 2012 R2 domain controllers.
"gpresult /v" on 2008 R2:
http://clintboessen.blogspot.com.au/2009/12/low-down-on-password-policies.html
In this post we are going to talk about password policies further and cover off what appears to be a bug but is actually "by design".
My customer had a handful of domain controllers with a single 2008 R2 domain controller and three Server 2012 R2 domain controllers. The PDC Emulator resides on Server 2008 R2.
The Server 2008 R2 domain controller was applying the password policy correctly however the 2012 R2 domain controllers were not (or so I thought).
Running an rsop.msc on the 2008 R2 domain controller (the PDC) shows the policy being applied from the Default Domain Policy.
The 2012 R2 domain controllers the resultant set of policy displayed no policies being applied.
The same was experienced running an "gpresult /v" on the 2008 R2 or 2012 R2 domain controllers.
"gpresult /v" on 2008 R2:
"gpresult /v" on 2012 R2:
The account policies above are the domain Kerberos policy, not the password policy.
The password policy simply did not apply to the 2012 servers. After further investigation in my test lab, I saw that only the domain controller running the PDC emulator displays the password policy when performing a Resultant Set of Policy.
This means every domain controller in a domain will not display the password policy from a resultant set of policy apart from the primary domain controller.
How do I check if the password policy is applying correctly on my domain controllers?
There are two commands which check the password policy:
- net accounts (checks local password policies on a server)
- net accounts /domain (checks the domain password policy on a server)
Domain Policy always wins over a local policy.
Computer Role: Backup means it is not a Primary Domain Controllers (PDC).
So in summary... if you see a password policy not applying to a domain controller when you check Group Policy, this is normal behaviour and is by design unless the server is the PDC emulator.