Forum Discussion
Claire_4
Jul 12, 2023Copper Contributor
How to fully remove domain password policy from on-prem AD
Hi, We have recently changed our AD password mastering to a 3rd part IDP, the passwords are changed on their system and are pushed to the users profile in AD, all of this is working fine. Users log...
LeonPavesic
Jul 13, 2023Silver Contributor
Hi Claire_4,
To fully remove the domain password policy from on-prem Active Directory, you need to follow these steps:
- Open the Group Policy Management console on one of your domain controllers.
- Expand the forest and domain, then navigate to the "Default Domain Policy" or the GPO that previously contained the password policy settings.
- Right-click on the policy and select "Edit" to open the Group Policy Management Editor.
- In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
- Review the password policy settings and ensure they are set to "Not Defined" or the desired default values.
- Wait for the changes to replicate across your domain controllers.
You can also view the default password policy with Powershell using this command.
Get-ADDefaultDomainPasswordPolicy
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.
Kindest regards
Leon Pavesic
Claire_4
Jul 13, 2023Copper Contributor
LeonPavesic Thank you for the reply. Yes that's exactly what we've done, all settings under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy - are set to not defined. Replication across domain controllers is working. I've attached a screenshot showing the group policy at the top with the correct settings, and the local security and group policy for that particular DC showing the incorrect settings. We have ran a GPUpdate on the DC's and rebooted both of them but the settings still remain.
- LeonPavesicJul 13, 2023Silver Contributor
Hi @Claire_,
thanks for the update. You did everything right.
To ensure that the password policy is applied to the Active Directory domain controllers, you need to apply the policy directly to the OU where the domain controllers are located. Modifying the Default Domain Policy, which is linked at the root of the domain, may not have the desired effect if inheritance is blocked on the Domain Controllers OU. Make sure to target the policy specifically to the Domain Controllers OU to control the password policy for the Active Directory.
Please, check out this links:
Password policy changes aren't applied - Windows Server | Microsoft Learn
Changes are not applied when you change the password policy - Microsoft Support
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.
Kindest regards
Leon Pavesic- Claire_4Jul 13, 2023Copper Contributor
LeonPavesic Inheritance on the DC's OU is not blocked, and the domain controllers are in the correct OU, and the password policy is not coming from any other GPO.