Have Multiple GPO's but only Default Domain Policy is working
Posted on 2006-05-17
I am using GPMC to configuer my GPO's. There are three GPO's - Default DC / Default Domain / NoPasswordProtect. I am trying to apply the NoPasswordProtect policy to a few users and Default Domain policy to the general public. The problem is the few users are not getting that policy. This is what I did...
1. Created two new groups in AD called NoPasswordProtect & PasswordProtect
2. Added the few users to NoPasswordProtect and rest of the users to PasswordProtect group
3. Created a copy of the Default Domain Policy and saved it as NoPasswordProtect policy
4. Changed password settings for login and screen saver in the NoPasswordProtect policy
5. Changed the security setting for both policies, added both groups to both policies. The (Allow) Read and Apply Group Policy was checked for PasswordProtect group within Default Domain Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for NoPasswordProtect group within Default Domain Policy.
6. The (Allow) Read and Apply Group Policy was checked for NoPasswordProtect group within NoPasswordProtect Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for PasswordProtect group within NoPasswordProtect Policy.
All the policies are enabled and the link is enabled for the NoPasswordProtect policy.
The Default Domain Policy takes precedence then comes NoPasswordProtect policy in second under GPO Inhertance tab.
All Policies are enbled but not enforced. The links are enabled for linked policies. I am running Server 2003 SP1 with DC's in the domain.
The NoPasswordProtect policy is for excutive users who don't want to bothered by the screen saver password or deal with complex and long passwords. I had to increase the length of time for password expiration to 75 days, change the length of password to be 5 characters, disable complexity requirements, change password history to 3, and minimum password age to 0. This is the policy which is not being applied to the group of users in NoPasswordProtect.