j0rdan
asked on
Group policy is applied, but not being enforced for everyone.
I've created a new GPO for enforcement of a new policy requiring more complex passwords. I've applied the policy at the domain level and set it to be enforced. Unfortunately, it seems like it's hit-or-miss whether the policy actually takes effect on individual computers, and I'm unable to determine what the issue is.
Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.
I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.
Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.
I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.
Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
Brian Pierce
Try removing the GPO that you have applied and set the password policy in the Default Domain Policy - You can only have ONE password and Account policy per domain
ASKER
Thanks for the reply KCTS.
Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.
So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.
So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RE: ChiefIT
You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
ASKER
Yep, that was it. Most users had their accounts set to "password never expires." It was something simple that I had forgotten. Thanks a ton!