Group Policy - Password Policy not working

We just migrating off Novell and I'm trying to implement a password through GP.  As a test I've moved my computer and user account into a test OU and applied a GP that enforces a password policy.  The policy states the following

password history is 3 entries
max password age is 1 day (for test purposes)
min age is 0 days
min password length is 7 char
complexity is enabled
lockout threshold is 3
lockout duration is 30min
lockout reset is 30min

After implementing the policy I refreshed it on my w2k workstation.  So a day has gone by (does it go by hours or by the date??) and it hasn't prompted me to change my password.  Do I need to reboot in order for this to happen?  If so that would not be very good considering most in our organization reboot once a month.  

Also when my computer was locked I purposely entered more than 3 wrong passwords and it didn't lock me out.

What gives?
shanna1017Asked:
Who is Participating?
 
JamesDSConnect With a Mentor Commented:
shanna1017

You could create a new domain wide policy and use the GPO security permissions to deny ALL but your test users access to read and apply the policy. Don't forget to deny all you machines as well - except your test kit.

If this doesn't work, you'll need a test domain.

Cheers

JamesDS
0
 
JamesDSCommented:
shanna1017
Password policies can only be applied at domain level - OU based password policies have no effect.

Cheers

JamesDS
0
 
JamesDSCommented:
shanna1017
Sorry, OU based password policies have no effect - except to apply to local machine passwords.

Cheers

JamesDS
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
shanna1017Author Commented:
Thanks for the quick response.  So there's no way to test the policy without applying it domain-wide?  I just want to see how this will affect the users so I can explain before I implement.
0
 
shanna1017Author Commented:
good idea.  Since it's a computer policy wouldn't I only need to deny the computer accounts access?  
0
 
JamesDSCommented:
shanna1017
no, both. Password policies apply to Domain User accounts and local machines - so to ensure you don't accidentally apply it somewhere you must deny access to all users and all machines.

Cheers

JamesDS
0
 
shanna1017Author Commented:
yet another question (I'll raise the points)

So do I have to go in and manually add each computer object and user object?  I was under the impression I couldn't use security groups with group policies.  Or maybe it's that I can't apply a gp to security groups within an OU.  Also, if I can add a security group such as everyone and then deny, won't that override the allow that I create for my test group?
0
 
shanna1017Author Commented:
how do I add more points once i've already accepted a solution?
0
All Courses

From novice to tech pro — start learning today.