• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 240
  • Last Modified:

Group policy application problem

I am having some strange problems with applying group policies.

I am now required to deploy some more complex password rules throughout my domain.  I created a new policy for these new password rules.  There are settings in this policy that relate to computer and user settings.  I created new OU's for testing purposes and moved a computer and a user to the appropriate OU's.  I blocked inheritance on both OU's and then applied the new password GPO to the new OU's.  I rebooted the test workstation and logged in as the test user.  

If I run gpresult, the only computer and user policy that is applied is my new GPO, however the settings are not being enforced.  For example, the new policy dictates that the minimum password length should be 7 characters.  My test user has a password that is 4 characters long.  If I hit CRTL-ALT-DEL and change the password, it is not requiring the 7 character length.  It is however telling me that my password length must be at least 4 characters long.  There is no GPO applied that is requiring this.  I have even checked the local workstation policies and there is nothing there either.

I do have a policy that requires a 4 character password, but I discovered during this process that it is not linked to any GPO's.  Not sure how that happened, but if that's the case, why are the password length requirements still being applied?

This is not my first go around with group policies.  I'm very confused as to what is happening.  I've done gpudate /force, rebooted the workstation, even removed it from the domain, deleted in in AD and then rejoined it and moved it back to the OU.  Nothing is helping.
0
shtaffa
Asked:
shtaffa
  • 6
  • 2
  • 2
1 Solution
 
OriNetworksCommented:
You can only have 1 password policy in your domain. This should be configure in the default domain policy and no other settings should be in there.
0
 
shtaffaAuthor Commented:
Even if that is the case, why is there a password length requirement in place when there are no policies n place with that setting?

To test your theory, I just enabled the password length requirement in my default domain policy and set it to 5.  I can still set passwords that are 4 characters in length.  If I try to set a password shorter than 4 I get and error saying that the password must be 4 characters or longer.
0
 
MightySWCommented:
Hi, are your computers/servers in the correct OU's and is the default domain policy getting applied and you are not blocking inheritance?

To a gpresult on one of the machines and see if you are getting the update.  Perform the following: ipconfig /flushdns, ipconfig /registerdns, gpupdate.

Check your default DOMAIN CONTROLLER policy password length setting.  If this is set and your GP is not enabled then the rest of the member computers in the domain will obtain this setting.  Most likely it is set to default.

See here for clarification:

http://technet.microsoft.com/en-us/library/cc737683.aspx

HTH
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
MightySWCommented:
Ok, I just read your post... seems that you did everything.  This may be a rights issue.  You are saying that the GP that you created to set the password length is NOT being applied after you show a gpresult?  Ensure that your OU's are covered by the scope of that GP and ensure that you set it to authenticated users.
0
 
shtaffaAuthor Commented:
@ OriNetworks:
After a reboot of the workstation, the password requirements in the default domian policy were applied.

Is this right?  Is that the ONLY place that I can put password settings?
0
 
MightySWCommented:
No, this is not correct.  I have a default domain policy that has a 7 PW character constraint and another with 8 on another OU.  I had to block inheritance as you did to block the Default domain policy.  This is why this GP is flexible.  I think that this is what Ori was trying to say.  If you did block inheritance from the default domain policy then you should be able to link your other and it will obtain the new restrictions.  Be sure to check the settings and the delegations and ensure that authenticated users is listed with read access.
0
 
MightySWCommented:
Make sure that you DO NOT have the default domain policy linked to your test OU
0
 
MightySWCommented:
This is not the correct solution.  More than one password configuration GP can exist within a domain.  
0
 
MightySWCommented:
Ok, my boy Dstew did some research and discovered that this is true.  I apologize for giving misleading information.  If I can come up with a registry fix for this then I will post.  I agree with you shtaffa, this is very strange and stupid.  I do not understand why this is so, but oh well.  

2008 does have a fix for this.
0
 
OriNetworksCommented:
For further clarification, thank you MightSW for confirming that I am correct. There can only be one password policy per domain. HOWEVER if you have a full server 2008 domain, there are workarounds that will allow you to set one additional password policy but only if it is a server 2008 domain. Since this post is in a server 2003 group I would assume that this does not apply to you.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 6
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now