Solved

Group Policy Account Policies Settings not enforced

Posted on 2010-09-22
8
1,035 Views
Last Modified: 2013-11-25
I have a Password Policy GPO I have been trying to apply to certain OUs in a domain that was upgraded from a Small Business Server domain a few years ago. I have created the policy, but none of the policies in the Computer\Windows Settings\Security Settings\Account Policies are showing as being set in the GPMC. I can edit the policy and see my requirements (8 char, 45 days max, enforce history, etc....) but after the editor is closed, if I view the policy, it simply says that nothing has been configured under the Computer Configuration.

If I alter the policy to include other settings, such as the group policy refresh rate or some user settings, these will show up in the Settings tab of the GPMC. I double checked to see that another policy would not override these settings, specificially the default domain policy (nothing defined for these settings there), and it looks good.

Any thoughts?
0
Comment
Question by:JasonInDenver
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33737437
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level.  Policies applied at the OU level only apply to local accounts and not domain accounts.
There are 3rd party tools that can help   http://www.specopssoft.com/products/specops-password-policy
In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
Thanks
Mike
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33737526
With a user who would be affected by the GPO, log into a machine and run two queries.  From the command prompt, run a GPResult and see if the user is even getting the policy.  If it shows up, run the RSOP.MSC to see what the resultant set is for that user.  Remember, because it is a user policy, the computer OU location is irrelevant.  That policy is tied to the user.
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33737533
BTW, that was meant to compliment what Mike suggested, not replace it. :)

Justin
0
 

Author Comment

by:JasonInDenver
ID: 33738353
I am not sure that your comment about a single domain account policy is correct. In fact, I can see a single policy, applied at the default domain level, as being unworkable. Many AD accounts are used for specific services, such as a s SQL service account. These account passwords may be changed one time a year (or never) but certainly would not be on a policy requiring a password change every 45 days.

My domain is a 2003 functional domain and I have policies set for Computer Configuration\Policies\Windows Settings\Account Policies set at the OU level. The only difference between my domain and our sister company's domain is that they were upgraded from SBS a few years back.

DrUltima, the users do not get the policy because according to the GMPC, there is no policy defined. Looking under the Group Policy Objects\Password Policy GPO (I created Password Policy), the Settings tab, which gives you an expandable overview of all the policies defined, it litterally says there are No Settings defined (see attached Capture.png image.) If I expand that policy, you can see there settings defined (capture1.png). It is enforced, but even if it were not, I would not expect to see the No settings defined notice.

I do appreciate the help. Any other thoughts?
Capture.PNG
Capture1.PNG
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33738702
Jason, Mike is correct:

Before you implement password policies in your organization, you need  to understand a little about how password policy configuration  information is stored in Windows 2000, Windows XP, and Windows Server  2003. This is because the mechanisms for storing password policy limit  the number of different password policies you can implement and affect  how you apply your password policy settings.  

There can be only a single password policy for each account database.  An Active Directory domain is considered a single account database, as  is the local account database on stand alone computers. Computers that  are members of a domain also have a local account database, but most  organizations that have deployed Active Directory domains require their  users to log on to their computers and the network by using domain-based  accounts. Consequently if you specify a minimum password length of 14  characters for a domain, all users in the domain must use passwords of  14 or more characters when they create new passwords. To establish  different requirements for a specific set of users, you must create a  new domain for their accounts.
Source: http://technet.microsoft.com/en-us/library/cc875814.aspx

This article will also tell you how to set it up.

Mike, I completely forgot this was 2003 and even if I was thinking 2008, my initial answer was totally wrong.  Thanks for the reminder.

Justin
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33738828
no proglem, One thing  you can do is set the account for password never expires in individual accounts.  So if you did that on that SQL service account for example then it would be excempt from the 45 day password age
Thanks
Mike
 
0
 

Author Comment

by:JasonInDenver
ID: 33738835
Thanks guys. I am still unclear as to why my domain appears to allow this when it is not allowed in 2003. Looking at the OU policies applied, even if they are not enforced, at least the policy is shown in GPMC. As for my serice accounts, the ones that do not change unless we manually change them are all checked to never expire.

This is good information to know.
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33738862
You can physically make a policy change, as you have done, but it won't show up on any machines, which is why your RSOP doesn't show it as viable.
0

Join & Write a Comment

You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now