GPO "Small Business Server Domain Password Policy" not applying

I have a SBS 2003 and Terminal Server running Win Svr 2003 and having issues with the above GPO.

I have removed Authenticated Users from Security Filtering and added Security Group "TST GPO Password Policy" where I have a User in this group.

When I log on with User to the TS that is in this SG, and run gpupdate /force and then a gpresult the GPO is showing as:
Small Business Server Domain Password Policy
    Filtering:  Not Applied (Empty)

The User is apart of the SG, the GPO is enabled and applied to root of domain and all inheritance is not blocked.

LVL 6
FlippAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FlippAuthor Commented:
Additional info I have found out, but still no solid answer:
1. You can only have ONE Password Policy in 2003
2. Password Policy GPO settings are Computer, but my SG created only contains User objects


?????

Is it possible to have a password policy which is applied to a subset of users?
0
Shreedhar EtteCommented:
There should be only one password policy for the entire domain.
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
In Windows 2003 you cannot have more that 1 password policy. It is set in "Default Domain Policy" in Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy node and affects each user in a domain (even if it's computer node policy!). If you want to have more than 1 password policy you need to create sub-domains with their own password policies (but it's difficult to manage) or use SBS2008 there are granular password policies available.

So, domain password policy is unique in a domain and it doesn't matter if you created additional (more restrict) password policies and linked them to OU. The will not take effect at all.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

FlippAuthor Commented:
I would like to test only pushing out Password Policy to a group of users - how would I do this?
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
in 2003 it is not possible at all, sorry. To be able manage this way, you need 2008 (SBS or normal edition)
0
FlippAuthor Commented:
Then why does SBS 2003 add a GPO called 'Small Business Server Domain Password Policy' if you can not use it at all?

I am hearing that the only way to set a PP in SBS 2003 is using the Default Domain Policy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.