Solved

Group policy is applied, but not being enforced for everyone.

Posted on 2008-06-19
5
798 Views
Last Modified: 2010-04-21
I've created a new GPO for enforcement of a new policy requiring more complex passwords. I've applied the policy at the domain level and set it to be enforced. Unfortunately, it seems like it's hit-or-miss whether the policy actually takes effect on individual computers, and I'm unable to determine what the issue is.

Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.

I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.

Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
0
Comment
Question by:j0rdan
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 21829171
Try removing the GPO that you have applied and set the password policy in the Default Domain Policy - You can only have ONE password and Account policy per domain
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21832033
Thanks for the reply KCTS.

Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.

So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 125 total points
ID: 21843359
Just covering some basics:
The users and computers folders are "CN" folders, not an "OU". GPOs will not work on a Common Name folder, "CN" . Instead, you have to create an OU and move your computers you want to that GPO.

Are your users accounts in ADUC set to have the password to never expire? If so, a password policy will not work on them.

After covering the basics, maybe Event viewer will hold events like 1030 and 1058 in them. That is additional information that might help us pinpoint the issue as GPOs are finicky.
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21843653
RE: ChiefIT

You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
0
 
LVL 2

Author Closing Comment

by:j0rdan
ID: 31469058
Yep, that was it. Most users had their accounts set to "password never expires." It was something simple that I had forgotten. Thanks a ton!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now