Server 2012 R2 password policy

Similar Messages

• How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

  I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
  and that works great.
  Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
  mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute. 
  I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I
  do not want to do that.  This is not an option.
  I have also found several posts about using ieee802Device.  I can't find a way to get that to work.
  I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the
  NPS server to use this attribute to authenticate this?
  If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
  Thank you for your assistance!

  Hi,
  I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
  the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
  MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
  Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
  add the MAC address as the computer user name and password,
  To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
  If you want to combine the MAC address MAC filtering and
   EAP Authentication, you can refer the following related article:
  Enhance your 802.1x deployment security with MAC filtering
  http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
  More information:
  MAC Address Authorization
  http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
  Authorization by User and Group
  http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
  The similar thread:
  NPS: Override User-Name and User Identity Attribute
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
  The related third party article:
  Configuring IEEE 802.1x Port-Based Authentication
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
  MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
  Hope this helps.

• Adding Internet shortcut favourites using Server 2012 R2 Group Policy Manager

  Hi there,
  I wonder could someone help me!
  Up on to recently we have been using the User Policies/Windows Settings/Internet Explorer Maintenance/URLs/Favourites and Links Group policy in Windows Server 2008 R2 but now within Server 2012 R2 that option doesn’t seem to be available.
  If I however click on the GPO that is currently in place that has favourites specified and click on the Setting tab it generates the report showing the old /Internet Explorer Maintenance/URLs/Favourites and Links Group policy but with I click Edit on the
  GPO it doesn’t show me the /Internet Explorer Maintenance/URLs/Favourites and Links Group policy to allow me to add more favourites.
  From reading online I see that that /Internet Explorer Maintenance/URLs/Favourites and Links Group policy has been dropped in Server 2012 with the IEAK but this seems to need to be downloaded and installed I assume on a DC which I’m reluctant to do.
  I notice there something called the Policy Preferences Administrators tool that should allow me to set favourites but I’m not sure how to use that or even where to get it – it is a feature in Server 2012?
  Sorry for all of the info above!  All I want to do is within Server 2012 R2 edit an existing Windows 2008 R2 group policy and add new shortcuts to that policy so they are pushed out.
  Any help or guidance would be greatly appreciated!
  Thanks,
  Bonemister  

  Hi Frank,
  Thanks very much for your reply!
  Ok, method 1 seems to be a good way for what I am looking to achieve in terms of providing shortcuts, however, could you clarify a couple of things for me please: -
  Does method 1 create a shortcut within Internet Explorer that is accessible by all users when they click on the favourites tab or is it a desktop shortcut?
  At present there are no shortcuts specified within User Configuration -> Preferences -> Windows Settings -> Shortcuts so I presume the current shortcuts are currently still being delivered via the settings within IEM. 
  If that is the case I don’t then want to remove the IEM from the GP reporting tools. The question is, can I keep the current policy that seems to be delivering our shortcuts and just use
  User Configuration -> Preferences -> Windows Settings -> Shortcuts to add any new shortcuts that we need – would there be any issue with having both GPOs operating or would there be any issues introducing shortcuts alongside the IEM
  settings?
  Thanks again for your help!
  Bonemister
  Method #1, is more of a problem-fix, rather than a solution-for-how-to-do-it-from-now-on. This method would only really be needed, if you have a dysfunctional IEM-GPO, causing issues.
  GPP is the way you need to adopt, because even Windows7 is affected by the IEM-removal if you upgrade IE to IE10 or newer (regardless of the Windows Server version you are using).
  The recommendation is that you create some new GPOs for transitioning away from IEM over to GPP, test those, and then deploy those and remove your older GPOs that were using IEM, this would complete your transition away from IEM.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How to disable SQL server 2012 sa password auto reset

  We have SQL server 2012 in windows xp and we using sa login and password as null.
  My problem is the password automatically reset within 3 hours once,
  Anyone can help how to disable the automatically reset password or how to increase the reset time.
  Thanks..!!!

  SQL Server never changes any password, someone else is doing this. And it is a high risk to use SA account especially with an empty password!!!
  Fully agree. A blank password for sa? In 2015?
  Apparently something in your environment pokes around for server instances with blank sa passwords and teaches you a lesson. You could set up an event notification or a DDL trigger to find out that may be. Or just prove that you are smarter than them by
  renaming sa. Or even better, prove that you are living in the present and set a strong password for sa. Or even better, disable sa, and only use Windows accounts that are in sysadmin so that you know how did what.
  Erland Sommarskog, SQL Server MVP, [email protected]

• Server 2012 R2 Group policy management with older Domain servers

  Hi Guys,
  I need your expert assistance with a issue I'm facing.
  We have a client that has 3 domain controllers. The Primary DC is running Server 2003 R2, another one is running Server 2008, and the last DC is running Server 2008 R2. The forest functional level is Server 2000 & the domain functional level is Server
  2003.
  Currently Group policy is processing using a central store across the 3 domain controllers.
  We have installed a new Server 2012 R2 Terminal server and need to apply group policies to the Server to lock it down.
  We have a separate Server 2012 R2 server (say SERVER1) that is also joined to the domain that I have added the group policy management feature to so it can remotely manage group policy.
  It seems to be pulling the all the group policy details from the central store so I can't see any of the server 2012 related settings on
  SERVER1.
  Are we going about this the correct way? how would we best manage the Server 2012 policies? I was thinking either somehow making the specific TS group policy only load in a local policy or templates somehow..

  If you are using a central policy store, this is the expected (intended) behaviour.
  You willl need to update the central store with the latest versions of the adm(x/l) files.
  http://www.microsoft.com/en-us/download/details.aspx?id=36991
  or grab them from a 2012(r2) instalaltion c:\Windows\PolicyDefinitions
  MCP/MCSA/MCTS/MCITP

• SQL Server 2012 Express: Password emergency

  I am trying to reset sa password on SQL 2012 Express as it described on
  http://technet.microsoft.com/en-us/magazine/jj853293.aspx
  When I execute SQLSMD command it fails with following message.
  Msg 15247, Level 16, State 1, Line 1
  User does not have permission to perform this action.
  Is there any secret on
  SQL 2012 Express?

  You need to restart in single-user mode first.
  See
  http://blogs.msdn.com/b/dbrowne/archive/2010/06/11/batch-file-to-local-administrators-a-sysadmin-login-in-sql-server.aspx
  eg
  net stop mssql$sqlexpress
  net start mssql$sqlexpress /mSQLCMD
  sqlcmd -S (local)\sqlexpress -Q "if not exists(select * from sys.server_principals where name='BUILTIN\administrators') CREATE LOGIN [BUILTIN\administrators] FROM WINDOWS;EXEC master..sp_addsrvrolemember @loginame = N'BUILTIN\administrators', @rolename = N'sysadmin'"
  net stop mssql$sqlexpress
  net start mssql$sqlexpress
  sqlcmd -S (local)\sqlexpress -Q "if exists( select * from fn_my_permissions(NULL, 'SERVER') where permission_name = 'CONTROL SERVER') print 'You are a sysadmin.'"
  David
  David http://blogs.msdn.com/b/dbrowne/

• Sql server 2014 set password for backup file

  We are using sql server 2014, all our databases will be automatically backed up as per schedule. Now need to protect our
  backed up databases with password. We have tried below queries:
  BACKUP DATABASE teknomectest TO DISK='C:\test.BAK' WITH MEDIAPASSWORD='sqlpas'
  Executing it shows below error
  One or more of the options (mediapassword) are not supported for this statement.
  Analyzing which we came to know this feature is blocked in sql server 2012 itself. Is there any other way to protect bak file.
  Bala
  Bala

  MayurPaghal, Bala said he is using SQL server 2014
  Beginning with SQL Server 2012, the PASSWORD and MEDIAPASSWORD options
  are discontinued for creating backups. It is still possible to restore backups created with passwords.
  https://msdn.microsoft.com/en-us/library/ms186865.aspx

• Server 2012 Password issue on new domain

  We recently setup a new domain controller running Server 2012 R2 standard 64 bit. All user profiles were setup in Active Directory. The default password we set users was Welcome1 and we chose all the defaults for the password policy. We set each account
  to force the user to change their password when they first login.
  The issue we see is that when a user logs in and tries to change their password, it will not let them change their password the way it should be. For example, the account "testuser" was set to Welcome1. When I tried to change it to
  Atlanta@2 or Georgia8 or Nexeo+=7 or Kentucky9 it said "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements
  of the domain"
  I then tried to change it to Welcome2 and it accepted it.
  I then went on the server and reset it logged in as administrator and see no issues (I can change it to whatever I want). So the issue is on the user end. I also turned OFF complexity requirements.
  I logged back into the account and tried to change the password to Kentucky7 and it worked. I then did a CTRL ALT DEL and tried to change it to Kentuky9 and it gave the same error.
  I'm not sure what is going on. Maybe there are time intervals on how often a user is allowed to change their password in Server 2012? Any ideas as to what is going on?

  I logged back into the account and tried to change the password to Kentucky7 and it worked. I then did a CTRL ALT DEL and tried to change it to Kentuky9 and it gave the same error.
  I'm not sure what is going on. Maybe there are time intervals on how often a user is allowed to change their password in Server 2012? Any ideas as to what is going on?
  You must set minimum password age.
  What is this:
  Minimum password age

• Unable to login Windows Server 2012 after making local policy changes

  Experts, we have modified the local policy setting on the windows server 2012 and badly it was domain controller now none of the users are able to login to the server. After entering the user name and password it will launch till welcome screen then it errors
  out saying user name or password incorrect. below are the steps which we followed
  1. Policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options \Network security: Configure encryption types allowed for Kerberos values change from Not Configured to DES_CBC_MD5
  2. changed user attribute msDS-SupprtdEncryptionTypes to 2 , this account we were used for kerberos authentication. 
  3. Logged off from the server and then server doesn't allow any user to login.
  regards,
  Jakk 

  Have you tried connecting to the server from a 2nd DC? Have you tried installing the RSAT tools on a domain member server and modify the offending policy ?
  last choice would be restart the DC into safe mode. 

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• How do I set firefox as the default browser in Windows Server 2012 Group Policy Editor?

  Hello, I am unable to set firefox as the default browser despite multiple different attempts to do so using group policy.
  I have:
  - Set a registry command (targeted at 32/64 via a WMI query) to reset the opening command as shown below:
  HKEY_CURRENT_USER\Software\Classes\http\shell\open\command
  "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -osint -url "%1"
  - Set a powershell logon script to run (that does run):
  firefox.exe -silent -setDefaultBrowser
  Despite setting the above it seems the client computers browsers are not affected by the settings above. When the script runs or if I run the command above a UAC window pops up and requests that I accept the command (for the setDefaultBrowser) but even if I click yes as an administrator it does nothing.
  Since GPO in 2012 has changed perhaps there is something that I am missing? Do I need to somehow disable Windows Internet Explorer from achieving default browser status?
  Please do not reply if you will suggest that I use Internet Explorer Maintenance (since this function in GPO has been disabled since IE10)
  My DC is Server 2012, my client computers are Win7 32/64.

  The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

• Windows Server 2012 Group Policy Block USB Storage devices @ User Level Not getting applied on a Domain Client machine with Windows Server 2008 R2. Why?

  Hello,
  I have a Windows Server 2012 R2.
  I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
  on it (this machine is also a domain client in the same domain).
  I will really be thankful if anyone can suggest some solution to this issue.
  Please feel free to write back in-case I have missed anything obvious to be shared.
  Thanks!
  -Vinay Pugalia
  If a post answers your question, please click "Mark As Answer" on that post or
  "Vote as Helpful".
  Web : Inkey Solutions
  Blog : My Blog
  Email : Vinay Pugalia

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet
  Subscriber Support
  If you are TechNet
  Subscription user and have any feedback on our support quality, please send your feedbackhere.
  Andy Qi
  TechNet Community Support

• Can't edit default domain controllers policy on windows 8 or server 2012

  I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
  from Windows 2008 R2.  Is there a security setting I am missing?

  Posting the resolution from the other thread.  Hope it helps!
  I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
  change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
  to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
  editing the GPO once from a 2008 R2 machine.

• Server 2012 Group Policy Templates installed on Server 2008 R2

  Setup: 2 x Domain Controllers running Server 2K8 R2 SP1
  We are currently running our environment with IE9 and want to upgrade to IE11. However 2K8 R2 group policy doesnt support IE11 unless you upgrade your DC's to this version of IE. We are not going to deploy IE11 all at once but instead as we reimage or replace
  PC's. 
  My question is can install http://www.microsoft.com/en-us/download/details.aspx?id=36991 Server 2012 templates on 2008 R2 and have the ability to apply GP objects to both versions of the browser? Will it's possibly make some of the current GP's ineffective
  by erasing some settings?
  Maybe there is a better was for me to do this? Any help on this would be appreciated! Thanks in advance. 
  I will monitor this thread very closely and reply to any questions as soon as I can. Thanks!
  BCU

  Yes this can be done and its advisable to install the latest and greatest admx templates, please be aware that from IE10 upwards IE maintenance is deprecated and applied via a GPP, id advise you create a central store for your Admx and adml files if not
  already done so
  http://support.microsoft.com/kb/929841
  http://support.microsoft.com/kb/929841

• Sun Directory Server Password Policy Problems

  Hi,
  I am using Sun Directory Server and Sun AM (2005Q1).
  We are using SUN DS to configure the password policy to expire user passwords after 30 days.
  Also, the warning has been set to "one day before expiry". However, when the warning IS displayed to the user and the user changes his/her password on display of the warning, even though the user's password expiration timestamp attribute contains a new timestamp (which is 30 days hence the date of change), on next login user is AGAIN thrown the warning that his/her password will expire in "HH hours: MM mins".
  I do not understand what needs to be done to fix this. Any help would be appreciated.

  How is the user authenticated ? Through Access Manager or directly to the Directory Server ?
  Access Manager can be configured to handle Password expiration, and so can Directory Server. I would advise you to check which system is actually throwing the warning.
  Regards,
  Ludovic