Group Policy not working on upgraded Domain

Hi All,

Our domain was upgraded from NT4 to 2k to 2k3 and is now a native 2k3 domain. Everything works pretty well excpet some group policies.

Can Anyone tell me why i can't specify a group policy for the OU computers or Users? the only options in properties are "Default container for upgraded computer accounts"

I've moved some users out to a new OU and was able to apply group policies to that but they aren't all working.

Trying to set the password time out and other security policies to for Password Length and complexity.

I've got it set on the NewUsers OU and "Not defined" at the top level. Shouldn't that work? Any ideas why it wouldn't? Do i need to block policy inheritance?

I don't want it at the top leve becuase of some production user accounts that i don't want to be affected.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

"Trying to set the password time out and other security policies to for Password Length and complexity."  this can only be done at the domain level.  Can not be done at the OU level...  If you set these settings at the OU level, they apply to any local workstation accounts....not domain login accounts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tonkajeep34Author Commented:
Ok... that helps. So i need to put it at the domain level and then make a system user OU that blocks policys for the password settings?
Like NJ said, the domain can only have 1 password/account policy for password settings, etc.  It cannot be blocked or overwritten in a lower OU.

And you cannot specify GPOs for the default containers...GPOs can only be applied to sites, domain, and OUs.
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

tonkajeep34Author Commented:
So the best thing to do is to make sure the accounts i don't want the GPO to apply to is just make sure they have the check box for password never expires checked....
That would be the only way to get around the password expiration policy, yes.

The password policy is set in the Default domain policy, and whatever you set there is inherited by all workstations/users in that domain.
Thank you for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.