Solved

Active Directory and Group Policy's .....

Posted on 2001-08-03
12
176 Views
Last Modified: 2010-04-13
Hope someone can help :-)

I have setup Active Directory on a Windows 200 Advanced server box, and I have Windows 2000 Professional installed on another box. Under Active Directory I have added an Organisation Unit, called test. Under this, I have added the client computer account and have added a sample user. When I add a new policy at the test OU level to force the user to have a password of greater that say 7 chars, and setup the user to change password at next login. (I do this under the computer section of the policy) When the client logs in as the sample user they are prompted to choose a password, but any length is allowed!! Why is this??? If I change any of the policy entried to do with the user, say Hide all Desktop icons, it works okay!!!

It's confusing me - anyone any ideas???
0
Comment
Question by:dd021197
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 3

Expert Comment

by:rcasteel
ID: 6349603
The portion of the registry that you modified applies to the local machine.  The account you are trying to log into is probably on the domain.  The only users that will be affected by the policy are users whos accounts are local to the server.

Password policies are set at the local machine level OR the domain level.  The effective policy would depend on where the user logs on.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6349629
take a look at some of thses - especially the troubleshooting...

From: snirh     Date: 03/28/2001 12:39AM PST Group policy planning with screen shots
                 
  http://www.microsoft.com/WINDOWS2000/library/planning/management/groupsteps.asp
                                   http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

 Windows 2000 Group Policy White Paper
                                         http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Step by Step Guide to Managing the Group Policy Feature Set
                                         http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_zbgy.asp

"Troubleshooting Group Policy in Windows 2000"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/support/tshootgp.asp

               and

               Wayne's Windows NT Administration Tips
               http://is-it-true.org/nt/nt2000/atips/index.shtml

Windows 2000 Support TOols"
               http://is-it-true.org/nt/nt2000/atips/atips57.shtml
-----------------------
I hope this helps !
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6349820
-What about setting "no override"  on the policy ?
-You should also issue a secedit /refreshpolicy userpolicy & machinepolicy from the station before you try it again.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 6349942
ALso

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19703

A Group Policy Modeling Tool
 FAZAM 2000 RFV helps you determine which Group Policies are in effect ,
the  effective policy.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6351207
If, on the local machine, you open a Local Machine Policy management console, it will display the settings which are effectively used beneatch the settings of the local machine. IMO useful to find out what's going on.
0
 
LVL 1

Author Comment

by:dd021197
ID: 6351218
Thanks for the responses. I will look into these, I think am am following the way it's supposed to be done.

Essentially what I am asking is how do you set the minimum password lenght to 10 characters, for a an OU of users?

Surely someone must have done this, if so how?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Expert Comment

by:rcasteel
ID: 6352657
You can't...Password restrictions are on a domain basis NOT an OU basis.  I don't know why MS did it that way but that is one of the reasons they give for needing different domains.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6353497
Yeah rcasteel is right. different password policy requires a different domain in the forest. There is another option though. With no password policy in the domain & a local policy that is imported to the OU computers through a login script with an imported security config file.
-Type secedit on a win2k machine & search for the proceedure with keywords.... export .. import.

0
 
LVL 3

Accepted Solution

by:
rcasteel earned 200 total points
ID: 6354538
I am not sure about that Housenet.  It has been my experience that changing the security policy on the local policy effectively changes the local security policy on the machine.  This WILL work but it only works for local accounts NOT domain accounts.  

If this does work, I would like a step by step procedure posted so I can test it too.  I have found the security policy in Windows 2000 to be one of the few things that doesn't seem to fit properly into the whole active directory idea.  I would definately be interested in finding a way to control it easily and more grainurlarly than at the domain level.
0
 
LVL 1

Author Comment

by:dd021197
ID: 6354968
How to you set it up at domain level then? Through the default domain policy??
0
 
LVL 1

Author Comment

by:dd021197
ID: 6355673
I have worked it out - I'm just setting it at domain level - thanks for your help.

Not sure who to give the points to :-)
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6357754
You gave the points to the right person. Good point about which accounts it will affect rcastle... I would have to try it & may soon.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now