3

I'm trying to setup an account on a windows 7 machine that has no password. However there are complexity requirements getting in the way.

It might be of interest that this computer is connected to a network that uses a domain, but the user account in question is not registered on the domain, but on the local machine, and I have administrative access.

I was able to disable this policy on a similar computer on the same network by going to Start -> Run -> secpol.msc, navigating to Account Policies -> Password Policy -> Password must meet complexity requirements and disabling the option. However on this computer those options are grayed out and I can't figure out how to change them. Nor does there seem to be another instance within my field of google queries that had a similar predicament.

Can anyone point me to how to enable these radio buttons so I can disable this option?

Thanks in advance.

Edit in responses to comments:

  • Both computers in question are running Windows 7 Enterprise 64-Bit OS's
  • The attempts to change this password policy occurred on the same day
  • They are on the same domain and in the same OU as they have the the given network addresses: LDAP://CN=WMSBUILD,CN=Computers,DC=aquaveo,DC=local LDAP://CN=WMSROBOT,CN=Computers,DC=aquaveo,DC=local
Assimilater
  • 201
  • 1
  • 2
  • 9
  • 1
    Not all Windows 7 versions have the same Group Policy options. Maybe the first computer was an Ultimate version while the second was a Starter version. Windows XP Home Edition, for that matter, doesn't have Group Policy by default. – Doktoro Reichard Sep 18 '13 at 21:45
  • They are both Windows 7 Enterprise. Edit: both are x64 OS's if that makes a difference as well. – Assimilater Sep 18 '13 at 21:46
  • Were they both joined to the same domain? Are they both in the same OU? You can find this out by running this: http://blogs.technet.com/b/heyscriptingguy/archive/2006/12/06/how-can-i-determine-the-ou-the-local-computer-belongs-to.aspx (I would paste just the code but that won't look right in a comment). – krowe Sep 18 '13 at 22:13
  • @krowe they are both joined to the same domain. From the link you pasted is this vb code? I'm not sure where to run it, as it isn't recognizable code to the windows command prompt... – Assimilater Sep 18 '13 at 22:20
  • It is a Windows scripting host file. Paste it into a file with a *.vbs extension and click the file to run it. A tutorial is here if it interrests you: http://www.makeuseof.com/tag/batch-windows-scripting-host-tutorial/ or http://technet.microsoft.com/en-us/scriptcenter/dd940112.aspx – krowe Sep 18 '13 at 22:27
  • @krowe Upon running this script I get an error on line 4 "Set objComputer = GetObject("LDAP://" & strComputer)" saying the specified domain either does not exist or could not be contacted. – Assimilater Sep 18 '13 at 22:34
  • What happens if you put this on the 3rd line: `Wscript.Echo "LDAP://" & strComputer` ? It will error out after the first dialog but we only care about that right now. – krowe Sep 18 '13 at 22:39
  • They both show almost the same thing: LDAP://CN=WMSBUILD,CN=COmputers,DC=aquaveo,DC=local (the other computer replace WMSBUILD with WMSROBOT and they're identical) – Assimilater Sep 19 '13 at 17:38
  • As a side note for looking up policies, if you are on a version of windows that supports domains you should be able to do `rsop.msc` in the run dialog to run the "[Resultant Set of Policy Snap-in](http://msdn.microsoft.com/en-us/library/windows/desktop/aa372116%28v=vs.85%29.aspx)" which will tell you the end result of all of the group policies applied to both the computer and user you are running it on. I would suggest you run it on both computers and compare the outputs. – Scott Chamberlain Sep 23 '13 at 20:17
  • @ScottChamberlain Now this is interesting! So there are no account policies set in either computer's User Configuration but on the one I was able to change the password for it lists all of the password policy settings as 'Not Defined' With no Source GPO, whereas the other one uses the Default Domain Policy. Do you know how to change this? I assume it's possible since this other computer is mounted to the domain yet doesn't use that GPO... – Assimilater Sep 23 '13 at 20:27
  • @Assimilater You would need to talk to the IT person administering the domain, it is very easy to set exclusion rules on policies on things other than just OU. For example the machine itself (not any of the users) could be a part of a special group that gets excluded from password restriction rules. – Scott Chamberlain Sep 23 '13 at 20:38
  • @ScottChamberlain Well, we found an alternate solution that works for us, so it's not as much a concern anymore (making me wonder what to do with this question) but it still stumps us, that from the network standpoint these two computers have the same settings yet one is somehow configured to not use the default network policy locally (IT doesn't understand how that's possible frankly...) – Assimilater Sep 23 '13 at 20:53

1 Answers1

0

It doesn't matter that the account isn't a domain account: The policy is for the computer, nothing you do short of rebuilding it and/or removing it from the domain will surpass it.

Even if it did, questions on circumventing security policies are off-topic, and will likely be closed, sorry.

MDMoore313
  • 5,956
  • 1
  • 27
  • 31
  • Circumventing domain level policies is not really what I'm after. The fact I was able to setup an account this way on another computer on the same domain with the same policies tells me this *should* be doable with the current policies. If for some paranormal reason it isn't I have regular contact with the network admins and we could work something out. – Assimilater Sep 19 '13 at 17:40
  • @Assimilater the only thing I can think of is that on the other machine the policy might not have been applied at the time that you created the account. – MDMoore313 Sep 19 '13 at 18:47
  • Well, I actually just started doing this two days ago, so time isn't a factor. Thanks for taking the time to provide your input, though. – Assimilater Sep 19 '13 at 19:34
  • 1
    @MDMoore313 How are these kinds of question off-topic? It there was some sort of malicious intent in the question I would agree, but this seems like a legitimate problem. – Doktoro Reichard Sep 19 '13 at 20:59
  • It appears this is the real answer. Rather than viewing WMSROBOT (the computer that was using the default network policy) as the anomaly I should view the computer that somehow connected to the domain without adopting its security policies as the anomaly. – Assimilater Sep 23 '13 at 21:29