Changes are not applied when you change the password policy

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 Datacenter More

Symptoms


When you change the password policy, the changes are not applied as expected.

Cause


This issue can occur in either of the following scenarios:
  • The Block Policy Inheritance option is enabled on the Domain Controllers organizational unit.
  • The password policy is not set in the Default Domain policy.

Resolution


To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:
  1. Start the Active Directory Users and Computers snap-in.
  2. Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
  3. On the domain controllers, run the following command:
    secedit /refreshpolicy machine_policy /enforce
If this issue occurs because you did not set password policy in the Default Domain policy, set all password policies in the Default Domain policy.

Status


This behavior is by design.

More Information


In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.