Password policy in Active Directory - inactivation of complexity without effect
In my Samba Active Directory Domain, I want to allow passwords that are long (passphrase) and based only on small caps and special characters, i.e. no requirement for large caps and numbers.
In order to do so, I created a new domain wide GPO for authenticated users where I disabled the complexity check (Password must meet password complexity requirement) and instead increased the minimum password length to 10.
I ran gpupdate to make sure the policy was distributed to the computer I'm sitting on. Unfortunately, this didn't have the expected effect, I still get the error message that my new password is not in line with the password policy.
A quick check using gpresult /v reveals the following information:
Account Policies
----------------
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 180
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 15
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 10
Security Options
----------------
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
What went wrong?
Update: Since a few commenters suggested I should do it via the Default Policy, I did that. The result remains exactly the same. I am attaching a screenshot of the policy just to avoid any doubt.
And here is a screenshot of the local security policy which confirms that the GPO was indeed applied. It looks fine but I can still create 8 digit passwords for domain users and they must include large caps and a number.
Ok, this caught me completely off guard. While a Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety. The solution is to turn off complexity directly on the Samba server, using
# samba-tool domain passwordsettings set --complexity=off
I have not initially declared that I'm using Samba so the other answers and comments are entirely valid for a Microsoft-only domain. I will adapt my question to reflect the use of Samba.
Update for clarification: As Joe pointed out, the GPO for the password settings is applied to the domain controller itself and not the clients like with regular GPOs. And that is the reason why this GPO could not take effect on a Samba DC. Samba can only serve GPOs, not apply them to itself.
Ignoring FGPP, there can be only one domain Password Policy. This is by default defined in the Default Domain Policy GPO. If you want to use a different Password Policy GPO then you need to link it to the domain and give it a higher precedence than the Default Domain Policy GPO. I suspect that's where your problem lies.
https://blogs.manageengine.com/active-directory/2014/05/16/domain-password-policies-configuring-and-auditing-correctly.html
EDIT:
Something to understand is that the Password Policy affects the local security accounts database. This means that when you're looking at the settings on a member computer you're looking at the settings that are applied to the local security account database on that member computer and will affect local user accounts on that member computer. For Active Directory users the local security account database is the Active Directory database, which is stored on the Domain Controllers. If you want to see what the Password Policy is for the domain then you need to run the Group Policy Results wizard against a Domain Controller, not against a member computer. Run that and post your results in your question.