?
Solved

Group policy is applied, but not being enforced for everyone.

Posted on 2008-06-19
5
Medium Priority
?
816 Views
Last Modified: 2010-04-21
I've created a new GPO for enforcement of a new policy requiring more complex passwords. I've applied the policy at the domain level and set it to be enforced. Unfortunately, it seems like it's hit-or-miss whether the policy actually takes effect on individual computers, and I'm unable to determine what the issue is.

Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.

I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.

Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
0
Comment
Question by:j0rdan
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 21829171
Try removing the GPO that you have applied and set the password policy in the Default Domain Policy - You can only have ONE password and Account policy per domain
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21832033
Thanks for the reply KCTS.

Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.

So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21843359
Just covering some basics:
The users and computers folders are "CN" folders, not an "OU". GPOs will not work on a Common Name folder, "CN" . Instead, you have to create an OU and move your computers you want to that GPO.

Are your users accounts in ADUC set to have the password to never expire? If so, a password policy will not work on them.

After covering the basics, maybe Event viewer will hold events like 1030 and 1058 in them. That is additional information that might help us pinpoint the issue as GPOs are finicky.
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21843653
RE: ChiefIT

You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
0
 
LVL 2

Author Closing Comment

by:j0rdan
ID: 31469058
Yep, that was it. Most users had their accounts set to "password never expires." It was something simple that I had forgotten. Thanks a ton!
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question