GPO Links

You should check enforced on your OU level policy that prevents the lockout.  If you enforce the DDP which is set to lock people out then conflicting settings from other GPOs will not take affect.  Note that if you enforce both of these policies the DDP GPO will win.

You set the "structure" right, but the Password policy ONLY takes effect at the domain level.  You cannot specify it differently for other OUs, etc.

TheCleaner is correct here, just a little vague.

Account Policies are controlled exclusively from the Default Domain Policy and cannot be blocked or overridden.  Keep in mind that this policy controls Domain accounts only.  Any local account can be controlled independently of the domain policy since you are using the local SAM for authentication.

I should add this :  you can only have one (1) Account policy in the domain.  If your Forest has multiple domains then each domain can have a different policy.

Yep...like Netman66 says, I should be more concise on my answers.

Basically the password/account policies the author has set on the default domain policy will be used throughout the domain, you won't be able to change this for other computers/users in that domain.


As far as the actual structure is that you are using, looks good to me.

I usually set up GPOs so that common tasks/settings are associated to a single GPO, and that GPO is applied as needed.

I tend to create GPOs like this so that I can change just that GPO if something changes.  I don't like the idea of a default domain policy doing much of anything, and the only things I set in there are things I know will never change (or take an act of congress practically to get changed).

Agreed.

I appreciate the prompt responses. I thank you for the clarity on the password problem. I still however have the script problem it a basic batch command script it just runs a net use for the printer and a net use for a shared file. the command runs on the client but it gives an error that says

'\\DomainSchool.local\SysVol\AspengroveSchool.local\Policies\{4E784B66-74BC-
4DDC-8403-55C25FFB16A3}\User\Scripts\Logon'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

C:\WINDOWS>net use t: \\server.domainschool.local\student share
please help

That's a normal error.

Where are you calling the script from?

You can fix it here, but you shouldn't see it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;156276

Are you calling it here:?

User Configuration\Windows Settings\Scripts(Logon/Logoff)

I am assigning it from the logon in the student OU
 It is assigned from the group policy
user config-
                scripts
                          logon
 I then browsed for the script and clicked on it. printer.bat  
it is a two line net use command
net use g: \\server\share
net use lpt1: \\server\printer

Should I use the GPO or the standard script locals?

Can you show us what the entire batch file you are trying to run is?

cleaner this is what I have
it says access denied,  all users have full control is it the legacy issues?
net use g: \\server\shared folder
net use LPT : \\server\printer

the policy is working but the script for the student is only partially working printer will not map or 1 of the shares

net use LPT : \\server\printer

Is this exactly right?  You are missing "1" from LPT