Have Multiple GPO's but only Default Domain Policy is working

I am using GPMC to configuer my GPO's. There are three GPO's - Default DC / Default Domain / NoPasswordProtect. I am trying to apply the NoPasswordProtect policy to a few users and Default Domain policy to the general public. The problem is the few users are not getting that policy. This is what I did...

1. Created two new groups in AD called NoPasswordProtect & PasswordProtect
2. Added the few users to NoPasswordProtect and rest of the users to PasswordProtect group
3. Created a copy of the Default Domain Policy and saved it as NoPasswordProtect policy
4. Changed password settings for login and screen saver in the NoPasswordProtect policy
5. Changed the security setting for both policies, added both groups to both policies. The (Allow) Read and Apply Group Policy was checked for PasswordProtect group within Default Domain Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for NoPasswordProtect group within Default Domain Policy.
6. The (Allow) Read and Apply Group Policy was checked for NoPasswordProtect group within NoPasswordProtect Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for PasswordProtect group within NoPasswordProtect Policy.

All the policies are enabled and the link is enabled for the NoPasswordProtect policy.

The Default Domain Policy takes precedence then comes NoPasswordProtect policy in second under GPO Inhertance tab.

All Policies are enbled but not enforced. The links are enabled for linked policies. I am running Server 2003 SP1 with DC's in the domain.

The NoPasswordProtect policy is for excutive users who don't want to bothered by the screen saver password or deal with complex and long passwords. I had to increase the length of time for password expiration to 75 days, change the length of password to be 5 characters, disable complexity requirements, change password history to 3, and minimum password age to 0. This is the policy which is not being applied to the group of users in NoPasswordProtect.
llib21Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NJComputerNetworksCommented:
Password rules are domain wide setting.  
NJComputerNetworksCommented:
The following was referenced from;
http://www.microsoft.com/technet/security/guidance/secmod49.mspx

"Account policies are implemented at the domain level. A Microsoft Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Setting these policies at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest based on any additional requirements."  Also, "A domain controller always pulls the account policy from the root of the domain, even if there is a different account policy applied to the OU that contains the domain controller"

Translated - The only way to make a change in the password policy is to change it through a GPO at the domain level.

Windows 2003 has its default password policies in the Default Domain Policy.

If you have created your own GPO to over ride the Default Domain Policy, then your GPO needs to be applied AFTER the Default Domain Policy.  Your GPO must also reside at the domain level.  Or, you could just modify the Default Domain Polciy, but I do not recomend this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
llib21Author Commented:
Thanx for the insight. I guess I was not doing anything wrond, just did not understand the password policy in GPO.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.