Administrator resetting password

RB

Distinguished
Apr 7, 2004
69
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

I have a problem with an application that executes on the admin ID for resetting the password in AD...which I discovered was not working...so I tested the access rights with the AD Users and Computers console and tried a reset with the admin ID there too by right-clicking the user....nothing doing there either. Times out with an error that tells me there might be a password history, complexity or minimum length problem. I have made NO changes to the Policies....any ideas ?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Check your domain password policy in the Domain Security Policy or if you have more
than one GPO for the domain check the highest GPO in the domain in the list. You can
use "net accounts" on a domain controller to see what your account policy is other
than complexity. If you don't want complexity enabled make sure it is disabled and
not undefined. You do not want any undefined settings in you account policies. ---
Steve


"RB" <RB@discussions.microsoft.com> wrote in message
news:672E20A4-EBDD-4700-8AB5-10B66CA41240@microsoft.com...
> I have a problem with an application that executes on the admin ID for resetting
the password in AD...which I discovered was not working...so I tested the access
rights with the AD Users and Computers console and tried a reset with the admin ID
there too by right-clicking the user....nothing doing there either. Times out with an
error that tells me there might be a password history, complexity or minimum length
problem. I have made NO changes to the Policies....any ideas ?
 

RB

Distinguished
Apr 7, 2004
69
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven...
I did as you suggested and removed all the 'Undefined' settings in the GPO for the Account Policy at the Domain level....no change :-(
I have looked into the GPO for the DC also and taken all the Undefined settings out too but that had no influence either. Is there a document witha list of all the defaults that I can reset from the start since I don't think there is a way to reset everything back to default until 2003.
The most confusing part about this is that it just came out of nowhere and I still cannot reset the users password with a right click...Reset Password !
Thanks...Richard

"Steven L Umbach" wrote:

> Check your domain password policy in the Domain Security Policy or if you have more
> than one GPO for the domain check the highest GPO in the domain in the list. You can
> use "net accounts" on a domain controller to see what your account policy is other
> than complexity. If you don't want complexity enabled make sure it is disabled and
> not undefined. You do not want any undefined settings in you account policies. ---
> Steve
>
>
> "RB" <RB@discussions.microsoft.com> wrote in message
> news:672E20A4-EBDD-4700-8AB5-10B66CA41240@microsoft.com...
> > I have a problem with an application that executes on the admin ID for resetting
> the password in AD...which I discovered was not working...so I tested the access
> rights with the AD Users and Computers console and tried a reset with the admin ID
> there too by right-clicking the user....nothing doing there either. Times out with an
> error that tells me there might be a password history, complexity or minimum length
> problem. I have made NO changes to the Policies....any ideas ?
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

In article <06DD8EFA-2B50-44C6-BBFD-71F2C1561655@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?UkI=?=
<RB@discussions.microsoft.com> says...

> since I don't think there is a way to reset everything back to default until 2003.
>
>

Search Help and Support for DCGPOFIX.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
 

RB

Distinguished
Apr 7, 2004
69
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Paul...but that file does not ship with the Windows 2000 Advanced Server.
Any other suggestions ?

"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <06DD8EFA-2B50-44C6-BBFD-71F2C1561655@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?UkI=?=
> <RB@discussions.microsoft.com> says...
>
> > since I don't think there is a way to reset everything back to default until 2003.
> >
> >
>
> Search Help and Support for DCGPOFIX.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

In article <C0938BF4-DE51-40C2-A1B3-D01948FDFF9E@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?UkI=?=
<RB@discussions.microsoft.com> says...

> Thanks Paul...but that file does not ship with the Windows 2000 Advanced Server.
> Any other suggestions ?
>

Sorry, I missed the "until 2003".

Search the KB for reset GPO...



--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
 

RB

Distinguished
Apr 7, 2004
69
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

I applied the reset GPO for the Security Settings and the User Rights and now I am locked out completely.
There was a large discrepancy between what was in the gpttmpl.inf file and the recommended settings in the documents. The secedit tool worked fine but has now locked out the Administrator.
What now ?


"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <C0938BF4-DE51-40C2-A1B3-D01948FDFF9E@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?UkI=?=
> <RB@discussions.microsoft.com> says...
>
> > Thanks Paul...but that file does not ship with the Windows 2000 Advanced Server.
> > Any other suggestions ?
> >
>
> Sorry, I missed the "until 2003".
>
> Search the KB for reset GPO...
>
>
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
 

RB

Distinguished
Apr 7, 2004
69
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Tried the secedit command to enforce changes after the edit to the gpttmpl.inf files and am now locked out completely.
Not a raging success I would say. There were several discrepancies between the files and the docs. for Reset User Rights and Reset Security Settings so I guess is some of the disregarded lines have me sitting on the outside.
Lucky for us this is just a test machine on VM Ware but still it would be nice to be able to solve the problem...and the functionality that went wrong in the first place.

"Paul Adare - MVP - Microsoft Virtual PC" wrote:

> In article <C0938BF4-DE51-40C2-A1B3-D01948FDFF9E@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?UkI=?=
> <RB@discussions.microsoft.com> says...
>
> > Thanks Paul...but that file does not ship with the Windows 2000 Advanced Server.
> > Any other suggestions ?
> >
>
> Sorry, I missed the "until 2003".
>
> Search the KB for reset GPO...
>
>
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

The other thing to check would have been that block inheritance is not set on the
Domain Controller Security Policy and to look in Event Viewer for any pertinent error
messages. The KB below lists default account policy settings for the domain. The
easiest way to implement would be to manually enter the settings in the domain
policy. A zero would indicate a disabled setting. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q226243&

"RB" <RB@discussions.microsoft.com> wrote in message
news:06DD8EFA-2B50-44C6-BBFD-71F2C1561655@microsoft.com...
> Hi Steven...
> I did as you suggested and removed all the 'Undefined' settings in the GPO for the
Account Policy at the Domain level....no change :-(
> I have looked into the GPO for the DC also and taken all the Undefined settings out
too but that had no influence either. Is there a document witha list of all the
defaults that I can reset from the start since I don't think there is a way to reset
everything back to default until 2003.
> The most confusing part about this is that it just came out of nowhere and I still
cannot reset the users password with a right click...Reset Password !
> Thanks...Richard
>
> "Steven L Umbach" wrote:
>
> > Check your domain password policy in the Domain Security Policy or if you have
more
> > than one GPO for the domain check the highest GPO in the domain in the list. You
can
> > use "net accounts" on a domain controller to see what your account policy is
other
> > than complexity. If you don't want complexity enabled make sure it is disabled
and
> > not undefined. You do not want any undefined settings in you account
olicies. ---
> > Steve
> >
> >
> > "RB" <RB@discussions.microsoft.com> wrote in message
> > news:672E20A4-EBDD-4700-8AB5-10B66CA41240@microsoft.com...
> > > I have a problem with an application that executes on the admin ID for
resetting
> > the password in AD...which I discovered was not working...so I tested the access
> > rights with the AD Users and Computers console and tried a reset with the admin
ID
> > there too by right-clicking the user....nothing doing there either. Times out
with an
> > error that tells me there might be a password history, complexity or minimum
length
> > problem. I have made NO changes to the Policies....any ideas ?
> >
> >
> >