Group Policy - Password Policy not working

We just migrating off Novell and I'm trying to implement a password through GP.  As a test I've moved my computer and user account into a test OU and applied a GP that enforces a password policy.  The policy states the following

password history is 3 entries
max password age is 1 day (for test purposes)
min age is 0 days
min password length is 7 char
complexity is enabled
lockout threshold is 3
lockout duration is 30min
lockout reset is 30min

After implementing the policy I refreshed it on my w2k workstation.  So a day has gone by (does it go by hours or by the date??) and it hasn't prompted me to change my password.  Do I need to reboot in order for this to happen?  If so that would not be very good considering most in our organization reboot once a month.  

Also when my computer was locked I purposely entered more than 3 wrong passwords and it didn't lock me out.

What gives?
shanna1017Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JamesDSCommented:
shanna1017
Password policies can only be applied at domain level - OU based password policies have no effect.

Cheers

JamesDS
0
JamesDSCommented:
shanna1017
Sorry, OU based password policies have no effect - except to apply to local machine passwords.

Cheers

JamesDS
0
shanna1017Author Commented:
Thanks for the quick response.  So there's no way to test the policy without applying it domain-wide?  I just want to see how this will affect the users so I can explain before I implement.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

JamesDSCommented:
shanna1017

You could create a new domain wide policy and use the GPO security permissions to deny ALL but your test users access to read and apply the policy. Don't forget to deny all you machines as well - except your test kit.

If this doesn't work, you'll need a test domain.

Cheers

JamesDS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shanna1017Author Commented:
good idea.  Since it's a computer policy wouldn't I only need to deny the computer accounts access?  
0
JamesDSCommented:
shanna1017
no, both. Password policies apply to Domain User accounts and local machines - so to ensure you don't accidentally apply it somewhere you must deny access to all users and all machines.

Cheers

JamesDS
0
shanna1017Author Commented:
yet another question (I'll raise the points)

So do I have to go in and manually add each computer object and user object?  I was under the impression I couldn't use security groups with group policies.  Or maybe it's that I can't apply a gp to security groups within an OU.  Also, if I can add a security group such as everyone and then deny, won't that override the allow that I create for my test group?
0
shanna1017Author Commented:
how do I add more points once i've already accepted a solution?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.