shtaffa
asked on
Group policy application problem
I am having some strange problems with applying group policies.
I am now required to deploy some more complex password rules throughout my domain. I created a new policy for these new password rules. There are settings in this policy that relate to computer and user settings. I created new OU's for testing purposes and moved a computer and a user to the appropriate OU's. I blocked inheritance on both OU's and then applied the new password GPO to the new OU's. I rebooted the test workstation and logged in as the test user.
If I run gpresult, the only computer and user policy that is applied is my new GPO, however the settings are not being enforced. For example, the new policy dictates that the minimum password length should be 7 characters. My test user has a password that is 4 characters long. If I hit CRTL-ALT-DEL and change the password, it is not requiring the 7 character length. It is however telling me that my password length must be at least 4 characters long. There is no GPO applied that is requiring this. I have even checked the local workstation policies and there is nothing there either.
I do have a policy that requires a 4 character password, but I discovered during this process that it is not linked to any GPO's. Not sure how that happened, but if that's the case, why are the password length requirements still being applied?
This is not my first go around with group policies. I'm very confused as to what is happening. I've done gpudate /force, rebooted the workstation, even removed it from the domain, deleted in in AD and then rejoined it and moved it back to the OU. Nothing is helping.
I am now required to deploy some more complex password rules throughout my domain. I created a new policy for these new password rules. There are settings in this policy that relate to computer and user settings. I created new OU's for testing purposes and moved a computer and a user to the appropriate OU's. I blocked inheritance on both OU's and then applied the new password GPO to the new OU's. I rebooted the test workstation and logged in as the test user.
If I run gpresult, the only computer and user policy that is applied is my new GPO, however the settings are not being enforced. For example, the new policy dictates that the minimum password length should be 7 characters. My test user has a password that is 4 characters long. If I hit CRTL-ALT-DEL and change the password, it is not requiring the 7 character length. It is however telling me that my password length must be at least 4 characters long. There is no GPO applied that is requiring this. I have even checked the local workstation policies and there is nothing there either.
I do have a policy that requires a 4 character password, but I discovered during this process that it is not linked to any GPO's. Not sure how that happened, but if that's the case, why are the password length requirements still being applied?
This is not my first go around with group policies. I'm very confused as to what is happening. I've done gpudate /force, rebooted the workstation, even removed it from the domain, deleted in in AD and then rejoined it and moved it back to the OU. Nothing is helping.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi, are your computers/servers in the correct OU's and is the default domain policy getting applied and you are not blocking inheritance?
To a gpresult on one of the machines and see if you are getting the update. Perform the following: ipconfig /flushdns, ipconfig /registerdns, gpupdate.
Check your default DOMAIN CONTROLLER policy password length setting. If this is set and your GP is not enabled then the rest of the member computers in the domain will obtain this setting. Most likely it is set to default.
See here for clarification:
http://technet.microsoft.com/en-us/library/cc737683.aspx
HTH
To a gpresult on one of the machines and see if you are getting the update. Perform the following: ipconfig /flushdns, ipconfig /registerdns, gpupdate.
Check your default DOMAIN CONTROLLER policy password length setting. If this is set and your GP is not enabled then the rest of the member computers in the domain will obtain this setting. Most likely it is set to default.
See here for clarification:
http://technet.microsoft.com/en-us/library/cc737683.aspx
HTH
Ok, I just read your post... seems that you did everything. This may be a rights issue. You are saying that the GP that you created to set the password length is NOT being applied after you show a gpresult? Ensure that your OU's are covered by the scope of that GP and ensure that you set it to authenticated users.
ASKER
@ OriNetworks:
After a reboot of the workstation, the password requirements in the default domian policy were applied.
Is this right? Is that the ONLY place that I can put password settings?
After a reboot of the workstation, the password requirements in the default domian policy were applied.
Is this right? Is that the ONLY place that I can put password settings?
No, this is not correct. I have a default domain policy that has a 7 PW character constraint and another with 8 on another OU. I had to block inheritance as you did to block the Default domain policy. This is why this GP is flexible. I think that this is what Ori was trying to say. If you did block inheritance from the default domain policy then you should be able to link your other and it will obtain the new restrictions. Be sure to check the settings and the delegations and ensure that authenticated users is listed with read access.
Make sure that you DO NOT have the default domain policy linked to your test OU
This is not the correct solution. More than one password configuration GP can exist within a domain.
Ok, my boy Dstew did some research and discovered that this is true. I apologize for giving misleading information. If I can come up with a registry fix for this then I will post. I agree with you shtaffa, this is very strange and stupid. I do not understand why this is so, but oh well.
2008 does have a fix for this.
2008 does have a fix for this.
For further clarification, thank you MightSW for confirming that I am correct. There can only be one password policy per domain. HOWEVER if you have a full server 2008 domain, there are workarounds that will allow you to set one additional password policy but only if it is a server 2008 domain. Since this post is in a server 2003 group I would assume that this does not apply to you.
ASKER
To test your theory, I just enabled the password length requirement in my default domain policy and set it to 5. I can still set passwords that are 4 characters in length. If I try to set a password shorter than 4 I get and error saying that the password must be 4 characters or longer.