Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Password GP applying to computer but not working

Answered Password GP applying to computer but not working

  • Tuesday, January 24, 2012 5:00 PM
     
     
    Sign In to Vote
    0

    I am kind of new creating gp's (started and worked with Novell for 10 years and now at new place running Microsoft). So we are running 2003 server with AD. I want to create a password policy (current company doesn't have one). So I have heard that you must edit in the default domain policy. I have also heard you can create a new policy, so that’s what I did and I assigned it to my workstation(XP) and user ID only (for testing). I ran a gpupdate on my client machine and when I run a rsop.msc on my machine I see the correct password policy being applied, but when I go to change my password it doesn't follow it (password minimum) and the password never expires. My user is not set to "never expire" in the AD. Any ideas? Is this because I do not have it set in the default domain policy? Any help would be great.

     

All Replies

  • Tuesday, January 24, 2012 5:30 PM
     
     
    Sign In to Vote
    0

    You should set the password policy in "Default Domain Policy" which is linked to a domain.

    If you create GPO with a password policy and link it to OU then it only applies to a local accounts not the domain acocunts.

    Watch for OU that might be blocking inheritance

     


    • Edited by Brano Lukic Tuesday, January 24, 2012 5:31 PM
    •  
     
  • Tuesday, January 24, 2012 5:52 PM
     
     
    Sign In to Vote
    0

    You can either modify the default domain policy, or create  a new one, but it must be linked to the domain object.  If you create a new gpo it must have a higher priority that then default domain policy.

    Linking a policy to an OU will not affect domain users.  Password policy is stored in the computer configuration section of a GPO.  It appies to users not computers.  When you apply it to the domain object, the DCs read the policy. 

    If you apply it to an OU, it applies to the computer objects and affects the local accounts stored on those computers.

    Read more...http://www.itgeared.com/articles/1013-how-to-implement-active-directory

     

    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube
     
  • Tuesday, January 24, 2012 6:03 PM
     
     
    Sign In to Vote
    0

    Hello,

    password and account lockout policy must be set on domain level and applies to all accounts in the domain.

    Please check with rsop.msc the applied settings on the machine.

    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
     
  • Tuesday, January 24, 2012 7:26 PM
     
     
    Sign In to Vote
    0
    Setting in the default domain policy will push down to all users and I wanted to test on my account and also was looking at installing and testing a 3rd party password expiration notifier as well. The password policy is linked to the domain level and there's no blocked inheritance.
     
  • Tuesday, January 24, 2012 7:34 PM
     
     
    Sign In to Vote
    0

    You should use a "test domain" for things like that. In other words you should have a replica domain with identical OU structure where you would do that.

     

    You can try creating another GPO policy linked to the domain with the settings like you want but filter it only to your test account. (don't use authenticated users, use your test account instead).

     

    Another thing to remember is order in which Group policy is applied:

    L - local

    S - site

    D - domain

    OU - organizational unit

     

     

     

     
  • Tuesday, January 24, 2012 8:51 PM
     
     
    Sign In to Vote
    0
    Setting in the default domain policy will push down to all users and I wanted to test on my account and also was looking at installing and testing a 3rd party password expiration notifier as well. The password policy is linked to the domain level and there's no blocked inheritance.

    You cannot apply policy to one user using the traditional password policy.  The closest you can get to applying a policy to a single user is by way of applying a Fine Grained Password Policy (AD 2008).  However, this type of policy is not implemented via a GPO.

    For testing purposes, a virtual lab environment is generally the best option.

     

    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube
     
  • Wednesday, January 25, 2012 8:38 AM
     
     
    Sign In to Vote
    0
    As you have windows server 2003 AD , you can have only one password policy for your entrire domain.
    If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer". MCSE,MSCITP-EA
     
  • Wednesday, January 25, 2012 9:14 AM
     
     Answered
    Sign In to Vote
    1
    Setting in the default domain policy will push down to all users and I wanted to test on my account and also was looking at installing and testing a 3rd party password expiration notifier as well. The password policy is linked to the domain level and there's no blocked inheritance.


    As many have said previously...unfortunately in Windows 2003 AD you cannot create a seperate 'Domain Password Policy' for anything less than the WHOLE DOMAIN.

    If there is a good business justification you could look at raising a business case for upgrading to Windows Server 2008. Once there you could then use the Fine Grained Password Policy feature. Outside of that you have the following options:

    1. Do an 'out-of-hours' amendment of the Default Domain Policy so you can test the impact.
    2. Create a test lab/sandbox AD environment to test the policy.
    3. Create a child domain so you could test the policy.

    Each would allow you to perform the test however each have their own issues...in an ideal world you should choose option 2 however, if getting hold of harware (or VMs) is an issue then option 1 is the 'do-able' option for you. However...a word of caution here. It must be done 'out-of-hours' and with a great deal of planning. You will be amending the policy for THE WHOLE DOMAIN (the likelihood of an issue is LOW but the impact of any failure is HIGH) so tread carefully and follow whatever change control processes your company has in place. My least favoured option would be option 3. Although this would allow you to test the policy you could be adding a layer of uneccessary complexity and administration to your live Active Directory and...if you can find the tin(hardware/VMs) to create a child domain for testing then it would be best used as a seperate Test Lab/Sandbox as suggested in option 2.

    Good luck...

    If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer".



    • Proposed As Answer by Fatty McFatfat Wednesday, January 25, 2012 9:22 AM
    • Edited by Fatty McFatfat Wednesday, January 25, 2012 10:36 AM
    • Edited by Fatty McFatfat Wednesday, January 25, 2012 11:51 AM
    • Marked As Answer by Jinxysp Wednesday, January 25, 2012 3:36 PM
    •  
     
  • Wednesday, January 25, 2012 10:16 AM
     
     
    Sign In to Vote
    0
    > Setting in the default domain policy will push down to all users and I
    > wanted to test on my account and also was looking at installing and
     
    That's not possible with account lockout and password policies. They
    only apply at domain level, and they apply to the domain (all accounts
    in it).
     
    If you want to test this, you have to use a test domain.
     
    sincerely, Martin
     
    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!