Solved

Active Directory and Group Policy's .....

Posted on 2001-08-03
12
195 Views
Last Modified: 2010-04-13
Hope someone can help :-)

I have setup Active Directory on a Windows 200 Advanced server box, and I have Windows 2000 Professional installed on another box. Under Active Directory I have added an Organisation Unit, called test. Under this, I have added the client computer account and have added a sample user. When I add a new policy at the test OU level to force the user to have a password of greater that say 7 chars, and setup the user to change password at next login. (I do this under the computer section of the policy) When the client logs in as the sample user they are prompted to choose a password, but any length is allowed!! Why is this??? If I change any of the policy entried to do with the user, say Hide all Desktop icons, it works okay!!!

It's confusing me - anyone any ideas???
0
Comment
Question by:dd021197
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 3

Expert Comment

by:rcasteel
ID: 6349603
The portion of the registry that you modified applies to the local machine.  The account you are trying to log into is probably on the domain.  The only users that will be affected by the policy are users whos accounts are local to the server.

Password policies are set at the local machine level OR the domain level.  The effective policy would depend on where the user logs on.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6349629
take a look at some of thses - especially the troubleshooting...

From: snirh     Date: 03/28/2001 12:39AM PST Group policy planning with screen shots
                 
  http://www.microsoft.com/WINDOWS2000/library/planning/management/groupsteps.asp
                                   http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

 Windows 2000 Group Policy White Paper
                                         http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Step by Step Guide to Managing the Group Policy Feature Set
                                         http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_zbgy.asp

"Troubleshooting Group Policy in Windows 2000"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/support/tshootgp.asp

               and

               Wayne's Windows NT Administration Tips
               http://is-it-true.org/nt/nt2000/atips/index.shtml

Windows 2000 Support TOols"
               http://is-it-true.org/nt/nt2000/atips/atips57.shtml
-----------------------
I hope this helps !
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6349820
-What about setting "no override"  on the policy ?
-You should also issue a secedit /refreshpolicy userpolicy & machinepolicy from the station before you try it again.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 63

Expert Comment

by:SysExpert
ID: 6349942
ALso

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19703

A Group Policy Modeling Tool
 FAZAM 2000 RFV helps you determine which Group Policies are in effect ,
the  effective policy.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6351207
If, on the local machine, you open a Local Machine Policy management console, it will display the settings which are effectively used beneatch the settings of the local machine. IMO useful to find out what's going on.
0
 
LVL 1

Author Comment

by:dd021197
ID: 6351218
Thanks for the responses. I will look into these, I think am am following the way it's supposed to be done.

Essentially what I am asking is how do you set the minimum password lenght to 10 characters, for a an OU of users?

Surely someone must have done this, if so how?
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6352657
You can't...Password restrictions are on a domain basis NOT an OU basis.  I don't know why MS did it that way but that is one of the reasons they give for needing different domains.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6353497
Yeah rcasteel is right. different password policy requires a different domain in the forest. There is another option though. With no password policy in the domain & a local policy that is imported to the OU computers through a login script with an imported security config file.
-Type secedit on a win2k machine & search for the proceedure with keywords.... export .. import.

0
 
LVL 3

Accepted Solution

by:
rcasteel earned 200 total points
ID: 6354538
I am not sure about that Housenet.  It has been my experience that changing the security policy on the local policy effectively changes the local security policy on the machine.  This WILL work but it only works for local accounts NOT domain accounts.  

If this does work, I would like a step by step procedure posted so I can test it too.  I have found the security policy in Windows 2000 to be one of the few things that doesn't seem to fit properly into the whole active directory idea.  I would definately be interested in finding a way to control it easily and more grainurlarly than at the domain level.
0
 
LVL 1

Author Comment

by:dd021197
ID: 6354968
How to you set it up at domain level then? Through the default domain policy??
0
 
LVL 1

Author Comment

by:dd021197
ID: 6355673
I have worked it out - I'm just setting it at domain level - thanks for your help.

Not sure who to give the points to :-)
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6357754
You gave the points to the right person. Good point about which accounts it will affect rcastle... I would have to try it & may soon.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
kerberos errors 7 560
removing broke domain controller...then upgrading to MS Win 2K12 6 405
Restoring a deleted user from Windows 2000?! 2 165
Upgrade dos 4.00.1111 11 65
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question