Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Group policy is applied, but not being enforced for everyone.

Posted on 2008-06-19
5
802 Views
Last Modified: 2010-04-21
I've created a new GPO for enforcement of a new policy requiring more complex passwords. I've applied the policy at the domain level and set it to be enforced. Unfortunately, it seems like it's hit-or-miss whether the policy actually takes effect on individual computers, and I'm unable to determine what the issue is.

Originally I ran a gpupdate /force on one of the problem clients, and gpresult and RSOP both show that the policy *should* be taking effect, but they're not (at the user level). Obviously the password policy is under the Computer Configuration section, but is there some reason that *some* clients are enforcing this policy while others aren't? All computers have the Windows XP Firewall disabled, as I thought that would be an issue.

I've even tried to dis-join and re-join the computers to the domain, hoping it would kick-start any policy enforcement that it didn't enforce previously.

Please let me know if you'd like any further information, and what you're looking for specifically. I've tried searching on this before, but I can't find any information pertaining to my problem.
0
Comment
Question by:j0rdan
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 21829171
Try removing the GPO that you have applied and set the password policy in the Default Domain Policy - You can only have ONE password and Account policy per domain
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21832033
Thanks for the reply KCTS.

Unfortunately, that's what I had originally done, was to just set it in the Default Domain Policy, but I had the same issue then. I then created this second GPO so I could make sure in gpresult and the RSOP that the computer had, indeed, received a new policy to enforce.

So, the new policy is the only one that contains any information about password requirements, and it says it's applied on the client, but it's still not enforced.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 125 total points
ID: 21843359
Just covering some basics:
The users and computers folders are "CN" folders, not an "OU". GPOs will not work on a Common Name folder, "CN" . Instead, you have to create an OU and move your computers you want to that GPO.

Are your users accounts in ADUC set to have the password to never expire? If so, a password policy will not work on them.

After covering the basics, maybe Event viewer will hold events like 1030 and 1058 in them. That is additional information that might help us pinpoint the issue as GPOs are finicky.
0
 
LVL 2

Author Comment

by:j0rdan
ID: 21843653
RE: ChiefIT

You're a genius! I believe the problem was the fact that most accounts were still set to never have the passwords expire. Once I hear that it was successful, I'll close the question and award you points. Thanks! :D
0
 
LVL 2

Author Closing Comment

by:j0rdan
ID: 31469058
Yep, that was it. Most users had their accounts set to "password never expires." It was something simple that I had forgotten. Thanks a ton!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question