How to Override Domain Group Policy with Local GPO for Password Complexity Requirements


2 views

When domain and local group policies conflict, Windows follows a specific hierarchy. Domain Group Policies (applied through Active Directory) typically take precedence over local policies. This becomes problematic when you need temporary exceptions for specific machines, like provisioning special-case laptops with local guest accounts.

Windows processes policies in this sequence:

1. Local Group Policy (LGPO)
2. Site-level GPOs
3. Domain-level GPOs
4. OU-level GPOs (with deepest OU first)

The last applied policy wins, which explains why domain password policies usually override local settings.

For the password complexity issue specifically, consider these approaches:

1. Using LGPO Edit

Try navigating to:

gpedit.msc > Computer Configuration > Windows Settings > Security Settings > 
Account Policies > Password Policy

If settings are grayed out, you'll need to either:

  • Disconnect from the domain temporarily
  • Use the Local Security Policy snap-in (secpol.msc) instead

2. PowerShell Automation

For scripting the local policy change:


# Temporarily disable password complexity
secedit /export /cfg $env:temp\\temp.inf
(Get-Content $env:temp\\temp.inf) -replace "PasswordComplexity = 1","PasswordComplexity = 0" | 
    Out-File $env:temp\\temp.inf
secedit /configure /db $env:windir\\security\\new.sdb /cfg $env:temp\\temp.inf /areas SECURITYPOLICY

3. Registry Override (Advanced)

As a last resort, you can modify the registry directly:


# For password complexity
Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa" -Name "limitblankpassworduse" -Value 0

# For minimum password length
Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa" -Name "minpasswordlength" -Value 0

Remember that:

  • Domain controllers don't process local policies
  • Changes might be overwritten at next Group Policy refresh
  • Registry edits can cause system instability if done incorrectly

For managed environments, better solutions include:

  • Creating a special OU with modified policies
  • Using Group Policy Preferences with item-level targeting
  • Implementing temporary policy exceptions via PowerShell DSC

When provisioning special-case devices like kiosks or shared workstations, administrators often encounter policy conflicts where domain-enforced password complexity requirements block necessary local configurations. The password policy hierarchy in Windows follows this order:

1. Domain Group Policy (highest precedence)
2. Local Group Policy
3. Default system settings

Windows applies policies using the following processing order (LSDOU):

  • Local policy (L)
  • Site policy (S)
  • Domain policy (D)
  • Organizational Unit policy (OU)

The key registry value controlling password complexity lives at:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange

For your specific guest account scenario, try these approaches:

# PowerShell command to create local user bypassing complexity
New-LocalUser -Name "GuestAccess" -Password (ConvertTo-SecureString "simplepass" -AsPlainText -Force) -Description "Temporary guest account"

For broader policy override capability:

# Export current local policy
secedit /export /cfg C:\temp\local_policy.inf

# Modify the exported INF file
# Change PasswordComplexity = 0 under [System Access]

# Import modified policy
secedit /configure /db C:\temp\local_policy.sdb /cfg C:\temp\local_policy.inf

When dealing with domain-joined machines, consider these professional approaches:

  1. Create a dedicated OU with blocked inheritance for special devices
  2. Use Group Policy Preferences with item-level targeting
  3. Implement temporary policy exceptions with security filtering

For scripting solutions, this VBScript example demonstrates policy modification:

Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)

If objUser.department = "KioskDevices" Then
    Set objPasswordPolicy = GetObject("LDAP://CN=Default Domain Policy,CN=Policies,CN=System,DC=domain,DC=com")
    objPasswordPolicy.put "minPwdLength", 4
    objPasswordPolicy.SetInfo
End If

For organizations with strict compliance requirements:

Approach Implementation Considerations
Policy-based OU-based policy exceptions Requires AD permissions
Technical Local Security Authority modifications Higher security risk
Architectural Stand-alone workgroup devices Management overhead