Server 2008 Granular Password Policy Issue

I'm trying to set up a PSO that uses a separate set of password policies for certain users with higher security requirements.  I've followed the guide for doing this found here:

My environment contains 2 Windows Server 2003 DCs that share the FSMO roles, and another Windows Server 2008 DC that has the Global Catalog.  One of the Server 2003 (the Domain Naming and Schema Master) DCs is also a Global Catalog server.

I have created a PSO with the settings I want and applied it to the Group I want it to effect.  I confirmed that the group has the msDS-PSOApplied setting set pointing to my PSO as well as confirmed that the msDS-PSOAppliesTo setting on the PSO itself contains my group.  I also added a specific user account to the msDS-PSOAppliesTo setting and it still does not work.

When I log in as a user who is supposed to be getting these settings, I am still allowed to change my password to something with only 4 chars (minimum is 8 on my PSO).

Does anybody have any idea why this might not be working?  Thank you.

Who is Participating?
Mike KlineCommented:
You have to be at Windows 2008 Domain Functional Level for fine grained passwords to work
For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.  
usomAuthor Commented:
Ahhh!  I should have caught that.  I suppose there is no mixed mode that allows Server 2003 DCs?
Mike KlineCommented:
Not for fine-grained passwords, but you are almost there.  
Just a few more DCs to go and you will be at W2K8 DFL...way ahead of many places.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.