How do I implement a Fine-grained password policy and expect XP machines to play nice?

I have a 2008 R2 functional level domain and am in the middle of implementing the first actual password policy my organization is going to use.

To slowly roll this out to our users, we have chosen to use a fine-grained password policy (FGPP) to only apply to certain users of our choosing. To do this, we are assigning this policy to a group using it as a shadow group. We have already went through the process of creating the PSO object and confirming the new policy only applies to users inside that group. Once we feel comfortable, we will then remove this PSO and move the password policy to the Default Domain Policy. Luckily, I was able to get by with using only one policy for all users.

Out of the 5,000 or so desktops, we're probably still over 75% Windows XP. In our testing, we found that if this FGPP applies to a user in this new group and they are forced to change their password while logging into a Windows 7 PC, it works great. However, when signing into a Windows XP PC, it still forces them to change their password but as an error message uses the policy in the Default Domain Policy. If we were to begin rolling this out, users would be confused once they try a password and receive an error message telling them to try another when those aren't the actual requirements.

As referenced in this Technet article, it says that this is a known behavior and recommend ignoring it. This is not possible for us. We cannot use FGPPs if this comes up on Windows XP PCs.

We have thought about setting the "password never expires" attribute to all users and then implementing the password policy at the Default Domain Policy level but we'd rather not do that due to possible mass-chaos if something were to go wrong.

Has anyone ever run into this before or can offer any suggestions? Is this error message in the GINA somewhere? Can it be modified at all?


Solution 1:

This is by design, and in the code. In Windows XP you would get the default password error message, which covered the password settings you can configure with the Default Domain Policy.

Starting with Vista you now receive "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain." Microsoft made it more generic to cover all the different FGPP options there are. They never went back and changed the code in Windows XP. Hence why you see the password policy Default Domain Policy message.

If you did want to change it, you would have to create a custom logon UI provider. However, since Windows XP is down to less then a year for support, you might be better off just training the staff about the issue. Or spend the time upgrading the rest of the XP clients.