Solved

Group Policy - Password Policy not working

Posted on 2004-10-29
189 Views
Last Modified: 2010-04-19
We just migrating off Novell and I'm trying to implement a password through GP.  As a test I've moved my computer and user account into a test OU and applied a GP that enforces a password policy.  The policy states the following

password history is 3 entries
max password age is 1 day (for test purposes)
min age is 0 days
min password length is 7 char
complexity is enabled
lockout threshold is 3
lockout duration is 30min
lockout reset is 30min

After implementing the policy I refreshed it on my w2k workstation.  So a day has gone by (does it go by hours or by the date??) and it hasn't prompted me to change my password.  Do I need to reboot in order for this to happen?  If so that would not be very good considering most in our organization reboot once a month.  

Also when my computer was locked I purposely entered more than 3 wrong passwords and it didn't lock me out.

What gives?
0
Question by:shanna1017
    8 Comments
     
    LVL 16

    Expert Comment

    by:JamesDS
    shanna1017
    Password policies can only be applied at domain level - OU based password policies have no effect.

    Cheers

    JamesDS
    0
     
    LVL 16

    Expert Comment

    by:JamesDS
    shanna1017
    Sorry, OU based password policies have no effect - except to apply to local machine passwords.

    Cheers

    JamesDS
    0
     

    Author Comment

    by:shanna1017
    Thanks for the quick response.  So there's no way to test the policy without applying it domain-wide?  I just want to see how this will affect the users so I can explain before I implement.
    0
     
    LVL 16

    Accepted Solution

    by:
    shanna1017

    You could create a new domain wide policy and use the GPO security permissions to deny ALL but your test users access to read and apply the policy. Don't forget to deny all you machines as well - except your test kit.

    If this doesn't work, you'll need a test domain.

    Cheers

    JamesDS
    0
     

    Author Comment

    by:shanna1017
    good idea.  Since it's a computer policy wouldn't I only need to deny the computer accounts access?  
    0
     
    LVL 16

    Expert Comment

    by:JamesDS
    shanna1017
    no, both. Password policies apply to Domain User accounts and local machines - so to ensure you don't accidentally apply it somewhere you must deny access to all users and all machines.

    Cheers

    JamesDS
    0
     

    Author Comment

    by:shanna1017
    yet another question (I'll raise the points)

    So do I have to go in and manually add each computer object and user object?  I was under the impression I couldn't use security groups with group policies.  Or maybe it's that I can't apply a gp to security groups within an OU.  Also, if I can add a security group such as everyone and then deny, won't that override the allow that I create for my test group?
    0
     

    Author Comment

    by:shanna1017
    how do I add more points once i've already accepted a solution?
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now