?
Solved

Group policy is applied, but not being enforced for everyone.

Posted on 2008-06-19
5
Medium Priority
?
810 Views
Last Modified: 2010-04-21
I've created a new GPO for enforcement of a new policy requiring more complex passwords. I've applied the policy at the domain level and set it to be enforced. Unfortunately, it seems like it's hit-or-miss whether the policy actually takes effect on individual computers, and I'm unable to determine what the issue is.

Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.

I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.

Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
0
Comment
Question by:j0rdan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 21829171
Try removing the GPO that you have applied and set the password policy in the Default Domain Policy - You can only have ONE password and Account policy per domain
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21832033
Thanks for the reply KCTS.

Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.

So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21843359
Just covering some basics:
The users and computers folders are "CN" folders, not an "OU". GPOs will not work on a Common Name folder, "CN" . Instead, you have to create an OU and move your computers you want to that GPO.

Are your users accounts in ADUC set to have the password to never expire? If so, a password policy will not work on them.

After covering the basics, maybe Event viewer will hold events like 1030 and 1058 in them. That is additional information that might help us pinpoint the issue as GPOs are finicky.
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21843653
RE: ChiefIT

You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
0
 
LVL 2

Author Closing Comment

by:j0rdan
ID: 31469058
Yep, that was it. Most users had their accounts set to "password never expires." It was something simple that I had forgotten. Thanks a ton!
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question