Description of Issue
When the Block Inheritance setting is enabled on the Domain Controllers OU, the Password Settings Screen in the Quickpass Admin Dashboard does not display the settings configured in a Group Policy with Account Password and Lockout Policy.
Cause
- Block Inheritance Setting Enabled on Domain Controllers OU
This is default behavior for Microsoft's implementation of Active Directory. If Inheritance is blocked on the domain controllers OU, password policy setting changes for policies linked at the root of the domain will be ignored and whatever the password policy was set to, prior to the Block Inheritance being enabled, will be ‘tattooed’ on the domain user accounts.
Password policy changes aren't applied - Windows Server | Microsoft Docs
As a test to confirm this, a PowerShell Command can be run on any Domain Controller, after importing the Active Directory PowerShell Module.
get-addomain | get-adobject -properties * | select *pwd*
Resolution
- Disable Inheritance Blocking: Turn off the setting to Block Inheritance
- Do this only after confirming that no other settings in the Group Policy's at the root of the Domain will impact your Domain Controllers
- Enable the GPO Enforced Setting: This forces the policy to be applied regardless of Inheritance Blocking
-
- Do this only after confirming that no other settings in the Group Policy Object that contains your Password Policy will impact your Domain Controllers.
- Migrate the Password Policy Settings section to a new GPO: Create a new GPO with the password settings ONLY and Enforce that Policy, and set to a higher priority.
Comments
0 comments
Please sign in to leave a comment.