Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Group Policy not working on upgraded Domain

Posted on 2006-04-17
Medium Priority
Last Modified: 2010-04-18
Hi All,

Our domain was upgraded from NT4 to 2k to 2k3 and is now a native 2k3 domain. Everything works pretty well excpet some group policies.

Can Anyone tell me why i can't specify a group policy for the OU computers or Users? the only options in properties are "Default container for upgraded computer accounts"

I've moved some users out to a new OU and was able to apply group policies to that but they aren't all working.

Trying to set the password time out and other security policies to for Password Length and complexity.

I've got it set on the NewUsers OU and "Not defined" at the top level. Shouldn't that work? Any ideas why it wouldn't? Do i need to block policy inheritance?

I don't want it at the top leve becuase of some production user accounts that i don't want to be affected.


Question by:tonkajeep34
  • 3
  • 2
LVL 33

Accepted Solution

NJComputerNetworks earned 400 total points
ID: 16469732
"Trying to set the password time out and other security policies to for Password Length and complexity."  this can only be done at the domain level.  Can not be done at the OU level...  If you set these settings at the OU level, they apply to any local workstation accounts....not domain login accounts.

Author Comment

ID: 16469749
Ok... that helps. So i need to put it at the domain level and then make a system user OU that blocks policys for the password settings?
LVL 23

Assisted Solution

TheCleaner earned 100 total points
ID: 16469938
Like NJ said, the domain can only have 1 password/account policy for password settings, etc.  It cannot be blocked or overwritten in a lower OU.

And you cannot specify GPOs for the default containers...GPOs can only be applied to sites, domain, and OUs.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 16469974
So the best thing to do is to make sure the accounts i don't want the GPO to apply to is just make sure they have the check box for password never expires checked....
LVL 23

Expert Comment

ID: 16470042
That would be the only way to get around the password expiration policy, yes.

The password policy is set in the Default domain policy, and whatever you set there is inherited by all workstations/users in that domain.
LVL 23

Expert Comment

ID: 16471645
Thank you for the points.

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question