Unable to make GPO works in Domain

activedirectory

(Daniele Nosella) #1

Hello There,
I’m experimenting with Active Directory on Nethserver.

I was able to create a domain and join PCs to it, but I’m not able to make GPO works.

I tried many different things, but what I’m experiencing is that the policies seems not to be applied.
The Windows Events Registry shows that the policies are corrected loaded from the joined PC but, in fact, they are not effective.

The most simple rules like turning off password complexity requirements or password expiration setting doesn’t work.

Just as an example:
-Enter group policy editor
-Modify default domain policy
-set password complexity off
-set maximum password age to 1 day
-set minimum password age to 0 days (The editor does it automatically)
-set password history to 0

Then I reboot a joined client PC, and even if in the Windows Event Registry I can see the Policy have been loaded, they are not effective.

The very same procedure works in Windows Server 2012R2-2016

Any suggestion?

I’m administering domain through RSAT from a Joined PC.
The joined PC are Windows 10 Machines.

Thank you

System version
NethServer release 7.4.1708 (Final)
Kernel release
3.10.0-862.2.3.el7.x86_64


(Markus Neuberger) #2

Hi Daniele,

You may change these settings in the web interface (Security/Password policies):

grafik

http://docs.nethserver.org/en/v7/accounts.html#password-management


(Daniele Nosella) #3

Hi,
thank you for the suggestion, but it doesn’t solve.

I just tried to disable the Strong Password Policies option as you suggested, but never the less I’m not able to modify passwords with simple ones (From The Joined Client I mean), even if the GPO are correctly setted (I suppose).

Probably Password Policies options offered through Nethserver GUI are not effective in the Active Directory Domain, can somebody confirm this?

It seems that the policies are not “adopted” by the client, even if the Windows Registry event says the policy have been applied


(Markus Neuberger) #4

I tried it and the policy is applied. With strong policy the password needs a special character. I tried to create a new user in ADUC and it was not possible with strong policy and without special character.

Without strong policy you still need 7 chars AFAIK.

For changing user passwords you may login to Nethserver web UI too.

For advanced settings you may go to command line:

systemd-run -M nsdc -t /bin/bash -c "samba-tool domain passwordsettings set --help"