Solved

Group policy is applied, but not being enforced for everyone.

Posted on 2008-06-19
5
797 Views
Last Modified: 2010-04-21
I've created a new GPO for enforcement of a new policy requiring more complex passwords. I've applied the policy at the domain level and set it to be enforced. Unfortunately, it seems like it's hit-or-miss whether the policy actually takes effect on individual computers, and I'm unable to determine what the issue is.

Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.

I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.

Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
0
Comment
Question by:j0rdan
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Try removing the GPO that you have applied and set the password policy in the Default Domain Policy - You can only have ONE password and Account policy per domain
0
 
LVL 2

Author Comment

by:j0rdan
Comment Utility
Thanks for the reply KCTS.

Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.

So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 125 total points
Comment Utility
Just covering some basics:
The users and computers folders are "CN" folders, not an "OU". GPOs will not work on a Common Name folder, "CN" . Instead, you have to create an OU and move your computers you want to that GPO.

Are your users accounts in ADUC set to have the password to never expire? If so, a password policy will not work on them.

After covering the basics, maybe Event viewer will hold events like 1030 and 1058 in them. That is additional information that might help us pinpoint the issue as GPOs are finicky.
0
 
LVL 2

Author Comment

by:j0rdan
Comment Utility
RE: ChiefIT

You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
0
 
LVL 2

Author Closing Comment

by:j0rdan
Comment Utility
Yep, that was it. Most users had their accounts set to "password never expires." It was something simple that I had forgotten. Thanks a ton!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now