|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
04-23-2007
| #1 (permalink) |
| | cannot change local security policy I want to change the "password must meet complexity requirements" of my PC to "disabled". But the pushbutton is greyed. Why is it doing that?? My Vista PC is in the active directory domain of my 2nd PC, running windows server 2003. ( which I configured today. note to MSFT: configing your systems is very difficult and confusing!! ) on the Server PC I was able to change the password policy and disable complex names. thanks, -Steve |
My System Specs |
|
04-23-2007
| #2 (permalink) |
| | RE: cannot change local security policy Are you in the Local Security Policy editor (in Administrative tools) on the Vista computer trying to change this? How did you configure the policy on the server? --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Steve Richter" wrote: > I want to change the "password must meet complexity requirements" of > my PC to "disabled". But the pushbutton is greyed. Why is it doing > that?? > > My Vista PC is in the active directory domain of my 2nd PC, running > windows server 2003. ( which I configured today. note to MSFT: > configing your systems is very difficult and confusing!! ) > > on the Server PC I was able to change the password policy and disable > complex names. > > thanks, > > -Steve > > |
| My System Specs |
|
04-23-2007
| #3 (permalink) |
| | Re: cannot change local security policy On Apr 23, 7:58 pm, Jesper <Jes...@discussions.microsoft.com> wrote: > Are you in the Local Security Policy editor (in Administrative tools) on the > Vista computer trying to change this? How did you configure the policy on the > server? On the server I had the "password must meet complexity or whatever" disabled on either the "default domain security policy" or the "default domain controller security policy" . Now I have changed to "disabled" in both and I can now set to a simple password on the client. what kind of madmen designed this?? what is the difference between "default domain" and "default domain controller"??? -Steve |
| My System Specs |
|
04-24-2007
| #4 (permalink) |
| | Re: cannot change local security policy With all due respect, you need this: http://www.amazon.com/gp/product/047...otectyourwi-20 The Default Domain Policy is linked to the domain itself. Password policy settings you make in there apply to all computers in the domain, except for domain controllers (if the same settings are made in the Default Domain Controllers Policy). Since you were managing the password policy using the Default Domain Policy your password settings in Local Security Policy were greyed out. You told the computer that you want the domain settings to rule. The Default Domain Controllers Policy is linked to the Domain Controllers OU. Since policy is processed in the LSDOU (Local, Site, Domain, OU) order, that policy will override settings made in the Default Domain Policy for the DCs. Really, you need to read Jeremy's book if you are going to be playing with Group Policy. You may want to read one of mine too to understand the security settings. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Steve Richter" wrote: > On Apr 23, 7:58 pm, Jesper <Jes...@discussions.microsoft.com> wrote: > > Are you in the Local Security Policy editor (in Administrative tools) on the > > Vista computer trying to change this? How did you configure the policy on the > > server? > > On the server I had the "password must meet complexity or whatever" > disabled on either the "default domain security policy" or the > "default domain controller security policy" . Now I have changed to > "disabled" in both and I can now set to a simple password on the > client. > > what kind of madmen designed this?? what is the difference between > "default domain" and "default domain controller"??? > > -Steve > > > > |
| My System Specs |
|
04-24-2007
| #5 (permalink) |
| | Re: cannot change local security policy Because the Vista machine is doinam joined, then the Default Domain Policy overrides the Local policy. Create a new OU and move the computer account for you workstation to that new OU. Then you'll want to create a new group policy object on that OU so that it applies to that workstation. Modify the GPO to change the settings you wish. You should never make changes to the Default Domain or Default Domain Controller policies, but rather create new ones. Also, why would you want to disable the password complexity requirements? You are opening yourself up to allowing somebody to bruce force attack the accounts by using simple passwords. Much easier to determine the passwords if they are not complex. Just a though. Steve Antonio, CISSP This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. On 23 Apr 2007 14:03:42 -0700, Steve Richter <StephenRichter@gmail.com> wrote: >I want to change the "password must meet complexity requirements" of >my PC to "disabled". But the pushbutton is greyed. Why is it doing >that?? > >My Vista PC is in the active directory domain of my 2nd PC, running >windows server 2003. ( which I configured today. note to MSFT: >configing your systems is very difficult and confusing!! ) > >on the Server PC I was able to change the password policy and disable >complex names. > >thanks, > >-Steve |
| My System Specs |
|
04-24-2007
| #6 (permalink) |
| | Re: cannot change local security policy With all due respect Steve, the built-in password complexity filter is so weak it certainly does not rule out guessing passwords. "Seattle1" would qualify as a "strong" password under the built-in filter, as do a myriad of other weak ones. If you really want to improve password strength, you need to go for length. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Steve Antonio [MSFT]" wrote: > Because the Vista machine is doinam joined, then the Default Domain > Policy overrides the Local policy. Create a new OU and move the > computer account for you workstation to that new OU. Then you'll want > to create a new group policy object on that OU so that it applies to > that workstation. Modify the GPO to change the settings you wish. > > You should never make changes to the Default Domain or Default Domain > Controller policies, but rather create new ones. > > Also, why would you want to disable the password complexity > requirements? You are opening yourself up to allowing somebody to > bruce force attack the accounts by using simple passwords. Much easier > to determine the passwords if they are not complex. > > Just a though. > > Steve Antonio, CISSP > > This posting is provided "AS IS" with no warranties, and confers no > rights. Use of included script samples are subject to the terms > specified at http://www.microsoft.com/info/cpyright.htm > Note: For the benefit of the community-at-large, all responses to this > message are best directed to the newsgroup/thread from which they > originated. > > > On 23 Apr 2007 14:03:42 -0700, Steve Richter > <StephenRichter@gmail.com> wrote: > > >I want to change the "password must meet complexity requirements" of > >my PC to "disabled". But the pushbutton is greyed. Why is it doing > >that?? > > > >My Vista PC is in the active directory domain of my 2nd PC, running > >windows server 2003. ( which I configured today. note to MSFT: > >configing your systems is very difficult and confusing!! ) > > > >on the Server PC I was able to change the password policy and disable > >complex names. > > > >thanks, > > > >-Steve > |
| My System Specs |
|
04-24-2007
| #7 (permalink) |
| | Re: cannot change local security policy True Jesper...good point. Here are some links I have kept handy that talk about strong passwords. What you should know about strong passwords: http://www.microsoft.com/technet/sec...nistrators.doc http://www.microsoft.com/technet/sec...g/tcgch00.mspx http://www.microsoft.com/technet/sec...hg/sgch00.mspx http://www.microsoft.com/technet/sec...k/default.mspx http://www.microsoft.com/resources/d...sword_tips.asp Password Best Practices: http://www.microsoft.com/resources/d...rd_protect.asp Accounts Passwords and Lockout Policies: http://www.microsoft.com/technet/pro.../bpactlck.mspx Account Lockout and Management Tools: http://www.microsoft.com/downloads/d...displaylang=en Hope this helps. On Tue, 24 Apr 2007 11:48:02 -0700, Jesper <Jesper@discussions.microsoft.com> wrote: >With all due respect Steve, the built-in password complexity filter is so >weak it certainly does not rule out guessing passwords. "Seattle1" would >qualify as a "strong" password under the built-in filter, as do a myriad of >other weak ones. If you really want to improve password strength, you need to >go for length. >--- >Your question may already be answered in Windows Vista Security: >http://www.amazon.com/gp/product/047...otectyourwi-20 > > >"Steve Antonio [MSFT]" wrote: > >> Because the Vista machine is doinam joined, then the Default Domain >> Policy overrides the Local policy. Create a new OU and move the >> computer account for you workstation to that new OU. Then you'll want >> to create a new group policy object on that OU so that it applies to >> that workstation. Modify the GPO to change the settings you wish. >> >> You should never make changes to the Default Domain or Default Domain >> Controller policies, but rather create new ones. >> >> Also, why would you want to disable the password complexity >> requirements? You are opening yourself up to allowing somebody to >> bruce force attack the accounts by using simple passwords. Much easier >> to determine the passwords if they are not complex. >> >> Just a though. >> >> Steve Antonio, CISSP >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. Use of included script samples are subject to the terms >> specified at http://www.microsoft.com/info/cpyright.htm >> Note: For the benefit of the community-at-large, all responses to this >> message are best directed to the newsgroup/thread from which they >> originated. >> >> >> On 23 Apr 2007 14:03:42 -0700, Steve Richter >> <StephenRichter@gmail.com> wrote: >> >> >I want to change the "password must meet complexity requirements" of >> >my PC to "disabled". But the pushbutton is greyed. Why is it doing >> >that?? >> > >> >My Vista PC is in the active directory domain of my 2nd PC, running >> >windows server 2003. ( which I configured today. note to MSFT: >> >configing your systems is very difficult and confusing!! ) >> > >> >on the Server PC I was able to change the password policy and disable >> >complex names. >> > >> >thanks, >> > >> >-Steve >> |
| My System Specs |
|
04-24-2007
| #8 (permalink) |
| | Re: cannot change local security policy Thanks Steve, but many of those links seem to have broken in posting. I'm quite partial to this one actually: :-) http://www.microsoft.com/technet/com...mt/sm1005.mspx There is also this: http://www.microsoft.com/technet/com...mt/sm1004.mspx ....chapter 11 here: http://www.amazon.com/exec/obidos/AS...otectyourwi-20 ....and of course, the bible on passwords: http://www.amazon.com/exec/obidos/AS...otectyourwi-20 --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Steve Antonio [MSFT]" wrote: > True Jesper...good point. > > Here are some links I have kept handy that talk about strong > passwords. > > What you should know about strong passwords: > > http://www.microsoft.com/technet/sec...nistrators.doc > > http://www.microsoft.com/technet/sec...g/tcgch00.mspx > > http://www.microsoft.com/technet/sec...hg/sgch00.mspx > > http://www.microsoft.com/technet/sec...k/default.mspx > > http://www.microsoft.com/resources/d...sword_tips.asp > > > Password Best Practices: > > http://www.microsoft.com/resources/d...rd_protect.asp > > > Accounts Passwords and Lockout Policies: > > http://www.microsoft.com/technet/pro.../bpactlck.mspx > > > Account Lockout and Management Tools: > > http://www.microsoft.com/downloads/d...displaylang=en > > Hope this helps. > > > On Tue, 24 Apr 2007 11:48:02 -0700, Jesper > <Jesper@discussions.microsoft.com> wrote: > > >With all due respect Steve, the built-in password complexity filter is so > >weak it certainly does not rule out guessing passwords. "Seattle1" would > >qualify as a "strong" password under the built-in filter, as do a myriad of > >other weak ones. If you really want to improve password strength, you need to > >go for length. > >--- > >Your question may already be answered in Windows Vista Security: > >http://www.amazon.com/gp/product/047...otectyourwi-20 > > > > > >"Steve Antonio [MSFT]" wrote: > > > >> Because the Vista machine is doinam joined, then the Default Domain > >> Policy overrides the Local policy. Create a new OU and move the > >> computer account for you workstation to that new OU. Then you'll want > >> to create a new group policy object on that OU so that it applies to > >> that workstation. Modify the GPO to change the settings you wish. > >> > >> You should never make changes to the Default Domain or Default Domain > >> Controller policies, but rather create new ones. > >> > >> Also, why would you want to disable the password complexity > >> requirements? You are opening yourself up to allowing somebody to > >> bruce force attack the accounts by using simple passwords. Much easier > >> to determine the passwords if they are not complex. > >> > >> Just a though. > >> > >> Steve Antonio, CISSP > >> > >> This posting is provided "AS IS" with no warranties, and confers no > >> rights. Use of included script samples are subject to the terms > >> specified at http://www.microsoft.com/info/cpyright.htm > >> Note: For the benefit of the community-at-large, all responses to this > >> message are best directed to the newsgroup/thread from which they > >> originated. > >> > >> > >> On 23 Apr 2007 14:03:42 -0700, Steve Richter > >> <StephenRichter@gmail.com> wrote: > >> > >> >I want to change the "password must meet complexity requirements" of > >> >my PC to "disabled". But the pushbutton is greyed. Why is it doing > >> >that?? > >> > > >> >My Vista PC is in the active directory domain of my 2nd PC, running > >> >windows server 2003. ( which I configured today. note to MSFT: > >> >configing your systems is very difficult and confusing!! ) > >> > > >> >on the Server PC I was able to change the password policy and disable > >> >complex names. > >> > > >> >thanks, > >> > > >> >-Steve > >> > |
| My System Specs |
|
04-24-2007
| #9 (permalink) |
| | Re: cannot change local security policy On Apr 24, 12:50 am, Jesper <Jes...@discussions.microsoft.com> wrote: > With all due respect, you need this:http://www.amazon.com/gp/product/047...otectyourwi-20 > > The Default Domain Policy is linked to the domain itself. Password policy > settings you make in there apply to all computers in the domain, except for > domain controllers (if the same settings are made in the Default Domain > Controllers Policy). Since you were managing the password policy using the > Default Domain Policy your password settings in Local Security Policy were > greyed out. You told the computer that you want the domain settings to rule. > > The Default Domain Controllers Policy is linked to the Domain Controllers > OU. Since policy is processed in the LSDOU (Local, Site, Domain, OU) order, > that policy will override settings made in the Default Domain Policy for the > DCs. > > Really, you need to read Jeremy's book if you are going to be playing with > Group Policy. You may want to read one of mine too to understand the security > settings. will do. thanks for the help. I understand it better now. -Steve |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Local Security Policy | System Security | |||
| About Local Security Policy | Vista security | |||
| No Local Security Policy | Vista networking & sharing | |||
| Where the heck is the Local Security Policy? | Vista security | |||
| Local Security Policy | Vista security | |||
