• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 725
  • Last Modified:

Have Multiple GPO's but only Default Domain Policy is working

I am using GPMC to configuer my GPO's. There are three GPO's - Default DC / Default Domain / NoPasswordProtect. I am trying to apply the NoPasswordProtect policy to a few users and Default Domain policy to the general public. The problem is the few users are not getting that policy. This is what I did...

1. Created two new groups in AD called NoPasswordProtect & PasswordProtect
2. Added the few users to NoPasswordProtect and rest of the users to PasswordProtect group
3. Created a copy of the Default Domain Policy and saved it as NoPasswordProtect policy
4. Changed password settings for login and screen saver in the NoPasswordProtect policy
5. Changed the security setting for both policies, added both groups to both policies. The (Allow) Read and Apply Group Policy was checked for PasswordProtect group within Default Domain Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for NoPasswordProtect group within Default Domain Policy.
6. The (Allow) Read and Apply Group Policy was checked for NoPasswordProtect group within NoPasswordProtect Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for PasswordProtect group within NoPasswordProtect Policy.

All the policies are enabled and the link is enabled for the NoPasswordProtect policy.

The Default Domain Policy takes precedence then comes NoPasswordProtect policy in second under GPO Inhertance tab.

All Policies are enbled but not enforced. The links are enabled for linked policies. I am running Server 2003 SP1 with DC's in the domain.

The NoPasswordProtect policy is for excutive users who don't want to bothered by the screen saver password or deal with complex and long passwords. I had to increase the length of time for password expiration to 75 days, change the length of password to be 5 characters, disable complexity requirements, change password history to 3, and minimum password age to 0. This is the policy which is not being applied to the group of users in NoPasswordProtect.
0
llib21
Asked:
llib21
  • 3
1 Solution
 
NJComputerNetworksCommented:
Password rules are domain wide setting.  
0
 
NJComputerNetworksCommented:
The following was referenced from;
http://www.microsoft.com/technet/security/guidance/secmod49.mspx

"Account policies are implemented at the domain level. A Microsoft Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Setting these policies at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest based on any additional requirements."  Also, "A domain controller always pulls the account policy from the root of the domain, even if there is a different account policy applied to the OU that contains the domain controller"

Translated - The only way to make a change in the password policy is to change it through a GPO at the domain level.

Windows 2003 has its default password policies in the Default Domain Policy.

If you have created your own GPO to over ride the Default Domain Policy, then your GPO needs to be applied AFTER the Default Domain Policy.  Your GPO must also reside at the domain level.  Or, you could just modify the Default Domain Polciy, but I do not recomend this.
0
 
llib21Author Commented:
Thanx for the insight. I guess I was not doing anything wrond, just did not understand the password policy in GPO.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now