2

Ok. I have implemented a Password Policy. I know from previous posts that it cannot be applied from within an OU so I have configured it from the Default Domain Policy. I run RSOP.msc from a client machine and the policy settings are displayed with the Source GPO "Default Domain Policy." So it appears that it is working, but it's not. For example, I have a complexity requirement, but it accepts the password "a." It also allows me to change my password within Windows Security while the setting is "Minimum password age" of 89 days. Clearly the policy is not actually being applied!

What to do?

RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode ---------------------------------------------------------- OS Type: Microsoft Windows XP Professional OS Configuration: Member Workstation OS Version: 5.1.2600 Domain Name: XXXXXX Domain Type: Windows 2000 Site Name: XXXXXX Roaming Profile: Local Profile: C:\Documents and Settings\XXXXX Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM Group Policy was applied from: tfs.corp.emergingmed.com Group Policy slow link threshold: 0 kbps Applied Group Policy Objects ----------------------------- Published Software Copy of Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups: -------------------------------------------------------- BUILTIN\Administrators Everyone SQLServerMSSQLServerADHelperUser$XXXXX BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users XXXXXXX$ Domain Computers People USER SETTINGS -------------- CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM Group Policy was applied from: tfs.corp.XXXXX.com Group Policy slow link threshold: 0 kbps Applied Group Policy Objects ----------------------------- Published Software Startup Scripts Copy of Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Domain Users Everyone BUILTIN\Administrators Remote Desktop Users BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL
Improve this question
3
  • Just to rule out weirdness, have you done a gpupdate on an affected machine? Commented Oct 14, 2011 at 19:53
  • I restarted the machine several times since it was computer policy and my understanding is that computer policy changes require a restart - and upon restart it should do a gprefresh. I just did one anyway though and I posted the gpresult above. Commented Oct 14, 2011 at 19:58
  • Do you think it matters that my PC is in an OU (UserComputers)? Commented Oct 14, 2011 at 20:10

1 Answer 1

Reset to default
6

The password policy should be applied to the OU of the servers where the account database is. If you are trying to control the password on the active directory this means your policy should be applied to Domain Controllers OU. If you have inheritance blocked on your Domain Controllers OU, then modifying the Default Domain policy which is linked at the root by default will not do what you want.

By setting the policy at the default domain level you are probably controlling the password policy of your workstation. By this I mean the local accounts on your workstations would have now have the password requirements. Try creating a local account and setting a password.

This is partly relates to the same reason why you cannot have more then one password policy in a pre Windows 2008 domain. The policy must be applied to all the Domain Controllers, so there is no way to distinguish between different users/computers.

Even with the fine-grained policies in 2008 you cannot simply use a group policy, you have to setup special attributes in LDAP to have different objects target different password policies.

Improve this answer
1
  • You sir are excellent Commented Oct 14, 2011 at 21:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.