E
eulersconstant
Hello,
We’re running into multiple grayed out password policy and account lockout policy settings on Windows Server 2012 R2 DCs – as in all of them display grayed out settings. We need to change them but we cannot commit any changes. The STIGs explicitly say to change these settings within the Local Group Policy Editor. We can change the corresponding settings in the GPO Edit on the ‘Default Domain Controllers Policy”, but they do not take effect in the Local Group Policy Editor.
Do you know the reason we cannot change the settings within Local Group Policy Editor and how we can change all these settings within the LGPE? My quick Google searches have not resulted in anything useful. Any insights would be greatly appreciated.
Example:
Check Content:
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >>
Account Policies >> Password Policy.
If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding.
Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to
"Disabled", this would not be considered a finding. If this setting does not affect the use of an external password
filter, it must be enabled for fallback purposes.
Fix Text: Configure the policy value for Computer Configuration >> Windows Settings -> Security Settings >>
Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".
Continue reading...
We’re running into multiple grayed out password policy and account lockout policy settings on Windows Server 2012 R2 DCs – as in all of them display grayed out settings. We need to change them but we cannot commit any changes. The STIGs explicitly say to change these settings within the Local Group Policy Editor. We can change the corresponding settings in the GPO Edit on the ‘Default Domain Controllers Policy”, but they do not take effect in the Local Group Policy Editor.
Do you know the reason we cannot change the settings within Local Group Policy Editor and how we can change all these settings within the LGPE? My quick Google searches have not resulted in anything useful. Any insights would be greatly appreciated.
Example:
Check Content:
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >>
Account Policies >> Password Policy.
If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding.
Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to
"Disabled", this would not be considered a finding. If this setting does not affect the use of an external password
filter, it must be enabled for fallback purposes.
Fix Text: Configure the policy value for Computer Configuration >> Windows Settings -> Security Settings >>
Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".
Continue reading...