Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

Active Directory and Group Policy's .....

Hope someone can help :-)

I have setup Active Directory on a Windows 200 Advanced server box, and I have Windows 2000 Professional installed on another box. Under Active Directory I have added an Organisation Unit, called test. Under this, I have added the client computer account and have added a sample user. When I add a new policy at the test OU level to force the user to have a password of greater that say 7 chars, and setup the user to change password at next login. (I do this under the computer section of the policy) When the client logs in as the sample user they are prompted to choose a password, but any length is allowed!! Why is this??? If I change any of the policy entried to do with the user, say Hide all Desktop icons, it works okay!!!

It's confusing me - anyone any ideas???
0
dd021197
Asked:
dd021197
  • 3
  • 3
  • 3
  • +2
1 Solution
 
rcasteelCommented:
The portion of the registry that you modified applies to the local machine.  The account you are trying to log into is probably on the domain.  The only users that will be affected by the policy are users whos accounts are local to the server.

Password policies are set at the local machine level OR the domain level.  The effective policy would depend on where the user logs on.
0
 
SysExpertCommented:
take a look at some of thses - especially the troubleshooting...

From: snirh     Date: 03/28/2001 12:39AM PST Group policy planning with screen shots
                 
  http://www.microsoft.com/WINDOWS2000/library/planning/management/groupsteps.asp
                                   http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

 Windows 2000 Group Policy White Paper
                                         http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Step by Step Guide to Managing the Group Policy Feature Set
                                         http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_zbgy.asp

"Troubleshooting Group Policy in Windows 2000"
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/support/tshootgp.asp

               and

               Wayne's Windows NT Administration Tips
               http://is-it-true.org/nt/nt2000/atips/index.shtml

Windows 2000 Support TOols"
               http://is-it-true.org/nt/nt2000/atips/atips57.shtml
-----------------------
I hope this helps !
0
 
HousenetCommented:
-What about setting "no override"  on the policy ?
-You should also issue a secedit /refreshpolicy userpolicy & machinepolicy from the station before you try it again.
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
SysExpertCommented:
ALso

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19703

A Group Policy Modeling Tool
 FAZAM 2000 RFV helps you determine which Group Policies are in effect ,
the  effective policy.
0
 
AvonWyssCommented:
If, on the local machine, you open a Local Machine Policy management console, it will display the settings which are effectively used beneatch the settings of the local machine. IMO useful to find out what's going on.
0
 
dd021197Author Commented:
Thanks for the responses. I will look into these, I think am am following the way it's supposed to be done.

Essentially what I am asking is how do you set the minimum password lenght to 10 characters, for a an OU of users?

Surely someone must have done this, if so how?
0
 
rcasteelCommented:
You can't...Password restrictions are on a domain basis NOT an OU basis.  I don't know why MS did it that way but that is one of the reasons they give for needing different domains.
0
 
HousenetCommented:
Yeah rcasteel is right. different password policy requires a different domain in the forest. There is another option though. With no password policy in the domain & a local policy that is imported to the OU computers through a login script with an imported security config file.
-Type secedit on a win2k machine & search for the proceedure with keywords.... export .. import.

0
 
rcasteelCommented:
I am not sure about that Housenet.  It has been my experience that changing the security policy on the local policy effectively changes the local security policy on the machine.  This WILL work but it only works for local accounts NOT domain accounts.  

If this does work, I would like a step by step procedure posted so I can test it too.  I have found the security policy in Windows 2000 to be one of the few things that doesn't seem to fit properly into the whole active directory idea.  I would definately be interested in finding a way to control it easily and more grainurlarly than at the domain level.
0
 
dd021197Author Commented:
How to you set it up at domain level then? Through the default domain policy??
0
 
dd021197Author Commented:
I have worked it out - I'm just setting it at domain level - thanks for your help.

Not sure who to give the points to :-)
0
 
HousenetCommented:
You gave the points to the right person. Good point about which accounts it will affect rcastle... I would have to try it & may soon.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now