shanna1017
asked on
Group Policy - Password Policy not working
We just migrating off Novell and I'm trying to implement a password through GP. As a test I've moved my computer and user account into a test OU and applied a GP that enforces a password policy. The policy states the following
password history is 3 entries
max password age is 1 day (for test purposes)
min age is 0 days
min password length is 7 char
complexity is enabled
lockout threshold is 3
lockout duration is 30min
lockout reset is 30min
After implementing the policy I refreshed it on my w2k workstation. So a day has gone by (does it go by hours or by the date??) and it hasn't prompted me to change my password. Do I need to reboot in order for this to happen? If so that would not be very good considering most in our organization reboot once a month.
Also when my computer was locked I purposely entered more than 3 wrong passwords and it didn't lock me out.
What gives?
password history is 3 entries
max password age is 1 day (for test purposes)
min age is 0 days
min password length is 7 char
complexity is enabled
lockout threshold is 3
lockout duration is 30min
lockout reset is 30min
After implementing the policy I refreshed it on my w2k workstation. So a day has gone by (does it go by hours or by the date??) and it hasn't prompted me to change my password. Do I need to reboot in order for this to happen? If so that would not be very good considering most in our organization reboot once a month.
Also when my computer was locked I purposely entered more than 3 wrong passwords and it didn't lock me out.
What gives?
shanna1017
Sorry, OU based password policies have no effect - except to apply to local machine passwords.
Cheers
JamesDS
Sorry, OU based password policies have no effect - except to apply to local machine passwords.
Cheers
JamesDS
ASKER
Thanks for the quick response. So there's no way to test the policy without applying it domain-wide? I just want to see how this will affect the users so I can explain before I implement.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
good idea. Since it's a computer policy wouldn't I only need to deny the computer accounts access?
shanna1017
no, both. Password policies apply to Domain User accounts and local machines - so to ensure you don't accidentally apply it somewhere you must deny access to all users and all machines.
Cheers
JamesDS
no, both. Password policies apply to Domain User accounts and local machines - so to ensure you don't accidentally apply it somewhere you must deny access to all users and all machines.
Cheers
JamesDS
ASKER
yet another question (I'll raise the points)
So do I have to go in and manually add each computer object and user object? I was under the impression I couldn't use security groups with group policies. Or maybe it's that I can't apply a gp to security groups within an OU. Also, if I can add a security group such as everyone and then deny, won't that override the allow that I create for my test group?
So do I have to go in and manually add each computer object and user object? I was under the impression I couldn't use security groups with group policies. Or maybe it's that I can't apply a gp to security groups within an OU. Also, if I can add a security group such as everyone and then deny, won't that override the allow that I create for my test group?
ASKER
how do I add more points once i've already accepted a solution?
Password policies can only be applied at domain level - OU based password policies have no effect.
Cheers
JamesDS