i try to use Granular Password Setting in windows server 2008. i did all the
necessary configuration in ADSI Edit.but at the end of create object wizard.i
get this error :

Operation failed. error code: 0x20e7
The modification was not permitted for security reasons.
000020E7vcErr: DSID-03050681,problem 5003
(WILL_NOT_PERFORM),data 0

Check the formats of your values and that the times doesn't overlap.

Powergui has a tool for managing FGPP's too: http://powergui.org/entry.jspa?externalID=882&categoryID=46

for more info on PSOs see:

http://blogs.dirteam.com/blogs/jorge/archive/2007/08/09/windows-server-2008-fine-grained-password-policies.aspx

http://blogs.dirteam.com/blogs/jorge/archive/2007/09/11/determining-the-effective-pso-for-a-user.aspx

Hello,

same problem on my server. Values are correct and the times doesn't overlap.

Got any answer?

Greetings,
Eric

Download the FGPP-tool from eitherhttp://www.specopssoft.com/wiki/index.php/SpecopsPasswordPolicybasic/SpecopsPasswordPolicybasic/orhttp://blogs.chrisse.se/blogs/chrisse/pages/fine-grain-password-policy-tool.aspxwhich will let you configure a FGPP without having to use ADSI-edit.

The Tool from Specops worked fine for me! Thank you very much.

I came across this problem in a Microsoft e-learning lab. I made sure to use the correct values and the times do not overlap. Of course, it's the first one I've tried to do since I just got the subscription. Unfortunately, in a Microsoft Lab you can't download and install software. They don't even allow you to follow the help links to their own domains... Guess I'll just have to skip that one... :( So far I can see why 2008is so great!

Howdie!

Can you share the exact values you tried to put into the fields? The error above gets thrown either when AD's internal functions can't parse the value to a DS friendly format or the times to overlap somehow. You may want to share your values so we can validate them.

cheers,

Florian

Let me add another great PSO-mgmt tool here, it's PSOMgr from joe:
http://www.joeware.net - it's command line based and lets you create and edit your PSOs - even shows you the resultant PSO for a user if I remember correctly.

cheers,

Florian

Hi all,

I had the same problem in my lab.
The fact that I used 0:00:00:00 or 0 (which translates to "None") for the attribute "msDS-LockoutDuration" caused the same error.
When I used another value like 1:00:00:00the PSO was created without the error.
I cannot change the value to zero after the PSO is changed because than the same error will show.

no solution there.....

greets,
Andre

We had the same issue and found that themsDS-LockoutObservationWindow could not be longer than themsDS-LockoutDuration. Also themsDS-MaximumPasswordAge cannot be set to 00:00:00:00

I had the same problem. When entering a zeo value or 00:00:00:00 use "(never)".

Yeah, creating PSO with ADSIEdit has a few caveats as it doesn't come up with good error messages if something went wrong. I'd suggest you look into joe's PSOMgr command line tool: http://www.joeware.net/freetools/tools/psomgr/index.htm- it is free and should be easier to handle than ADSIEdit.

Cheers,
Florian

Hi All,

 

I have tried the same and got the same error Operation failed. error code: 0x20e7

 

I have done some research and the solution is please upgrade your domain funcational level and reboot your DC once and try again.

 

I hope it will work ....:)

 

Vishwa (MCITP)

What version of AD are you using and what is the DFL and FFL?

 

--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

Paul,

I got the same error as per above. Since you aske dabout the DFL and FFL, this happens on a AD domain that has:

Domain Functional Level: Windows 2008

Forest Functional Level: Windows 2008

 

Thanks

i try to use Granular Password Setting in windows server 2008. i did all the
necessary configuration in ADSI Edit.but at the end of create object wizard.i
get this error :

Operation failed. error code: 0x20e7
The modification was not permitted for security reasons.
000020E7vcErr: DSID-03050681,problem 5003
(WILL_NOT_PERFORM),data 0

This is not related to security, but to inconsistent values.

msDS-LockoutDuration must be equal or greater than msDS-ObservationWindow!

Think logically, you cannot unlock (msDS-LockoutDuration) an account BEFORE the system resets the duration period (msDS-ObservationWindow) of unsuccessful logons.

-

Alexey,

MCITP, MCT

This is not related to security, but to inconsistent values.

msDS-LockoutDuration must be equal or greater than msDS-ObservationWindow!

Think logically, you cannot unlock (msDS-LockoutDuration) an account BEFORE the system resets the duration period (msDS-ObservationWindow) of unsuccessful logons.

-

Alexey,

MCITP, MCT

Thank you for explaining this! alot of previous answers of "go and get another utility", do not actually help people to learn why they have the issue in the first place.

The problem is that you are trying to set an attribute value to 0 (zero) for which that value is not allowed.  For example, msDS-MaximumPasswordAge cannot be set to 0 (zero).  This is what the (WILL_NOT_PERFORM),data 0 part of your error message refers to.  See this link for allowed values - http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspx

Once I manually set the root domain attributes manually - pwdProperties. With ADSIEDIT on properties I changed my dc=domain,dc=com attribute from 0 to 1 (0x1 Complex). I did that because my Default Domain Policy was not working and this was the only way I figure out, without using the dcgpofix. 

Another thing. Can you create a PSO with high security for example:

minpwdlen:8, minpwd: 1:00:00:00, maxpwd: 42:00:00:00, history:24, complex: true, lockout:5,lockoutdur:0:01:00:00, lockoutcounter:0:01:00:00, reversible:false,.... Try this and tell us. You can also check the root domain properties with attribute editor, and check to see anything.

I also discovered that you can use "(never)" without quotes on the maxiumpasswordduration.

Gustavo de Freitas Alves

Hepta Tecnologia e Inform

Thank you :), that was the mistake I did.

I had same problem in adsiedit with msDS-MaximumPasswordAge set to 00:00:00:00.

When I changed that to 42:00:00:00 it worked.

Wonder why the max pwd cannot be set to none or zero?