Have Multiple GPO's but only Default Domain Policy is working

Posted on 2006-05-17
Last Modified: 2009-07-29
I am using GPMC to configuer my GPO's. There are three GPO's - Default DC / Default Domain / NoPasswordProtect. I am trying to apply the NoPasswordProtect policy to a few users and Default Domain policy to the general public. The problem is the few users are not getting that policy. This is what I did...

1. Created two new groups in AD called NoPasswordProtect & PasswordProtect
2. Added the few users to NoPasswordProtect and rest of the users to PasswordProtect group
3. Created a copy of the Default Domain Policy and saved it as NoPasswordProtect policy
4. Changed password settings for login and screen saver in the NoPasswordProtect policy
5. Changed the security setting for both policies, added both groups to both policies. The (Allow) Read and Apply Group Policy was checked for PasswordProtect group within Default Domain Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for NoPasswordProtect group within Default Domain Policy.
6. The (Allow) Read and Apply Group Policy was checked for NoPasswordProtect group within NoPasswordProtect Policy. The (Allow) Read and (Deny) Apply Group Policy was checked for PasswordProtect group within NoPasswordProtect Policy.

All the policies are enabled and the link is enabled for the NoPasswordProtect policy.

The Default Domain Policy takes precedence then comes NoPasswordProtect policy in second under GPO Inhertance tab.

All Policies are enbled but not enforced. The links are enabled for linked policies. I am running Server 2003 SP1 with DC's in the domain.

The NoPasswordProtect policy is for excutive users who don't want to bothered by the screen saver password or deal with complex and long passwords. I had to increase the length of time for password expiration to 75 days, change the length of password to be 5 characters, disable complexity requirements, change password history to 3, and minimum password age to 0. This is the policy which is not being applied to the group of users in NoPasswordProtect.
Question by:llib21
    LVL 33

    Expert Comment

    Password rules are domain wide setting.  
    LVL 33

    Expert Comment

    LVL 33

    Accepted Solution

    The following was referenced from;

    "Account policies are implemented at the domain level. A Microsoft Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Setting these policies at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest based on any additional requirements."  Also, "A domain controller always pulls the account policy from the root of the domain, even if there is a different account policy applied to the OU that contains the domain controller"

    Translated - The only way to make a change in the password policy is to change it through a GPO at the domain level.

    Windows 2003 has its default password policies in the Default Domain Policy.

    If you have created your own GPO to over ride the Default Domain Policy, then your GPO needs to be applied AFTER the Default Domain Policy.  Your GPO must also reside at the domain level.  Or, you could just modify the Default Domain Polciy, but I do not recomend this.

    Author Comment

    Thanx for the insight. I guess I was not doing anything wrond, just did not understand the password policy in GPO.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    Learn about cloud computing and its benefits for small business owners.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now