Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy Account Policies Settings not enforced

Posted on 2010-09-22
8
Medium Priority
?
1,061 Views
Last Modified: 2013-11-25
I have a Password Policy GPO I have been trying to apply to certain OUs in a domain that was upgraded from a Small Business Server domain a few years ago. I have created the policy, but none of the policies in the Computer\Windows Settings\Security Settings\Account Policies are showing as being set in the GPMC. I can edit the policy and see my requirements (8 char, 45 days max, enforce history, etc....) but after the editor is closed, if I view the policy, it simply says that nothing has been configured under the Computer Configuration.

If I alter the policy to include other settings, such as the group policy refresh rate or some user settings, these will show up in the Settings tab of the GPMC. I double checked to see that another policy would not override these settings, specificially the default domain policy (nothing defined for these settings there), and it looks good.

Any thoughts?
0
Comment
Question by:JasonInDenver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 33737437
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level.  Policies applied at the OU level only apply to local accounts and not domain accounts.
There are 3rd party tools that can help   http://www.specopssoft.com/products/specops-password-policy
In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
Thanks
Mike
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 33737526
With a user who would be affected by the GPO, log into a machine and run two queries.  From the command prompt, run a GPResult and see if the user is even getting the policy.  If it shows up, run the RSOP.MSC to see what the resultant set is for that user.  Remember, because it is a user policy, the computer OU location is irrelevant.  That policy is tied to the user.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 33737533
BTW, that was meant to compliment what Mike suggested, not replace it. :)

Justin
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:JasonInDenver
ID: 33738353
I am not sure that your comment about a single domain account policy is correct. In fact, I can see a single policy, applied at the default domain level, as being unworkable. Many AD accounts are used for specific services, such as a s SQL service account. These account passwords may be changed one time a year (or never) but certainly would not be on a policy requiring a password change every 45 days.

My domain is a 2003 functional domain and I have policies set for Computer Configuration\Policies\Windows Settings\Account Policies set at the OU level. The only difference between my domain and our sister company's domain is that they were upgraded from SBS a few years back.

DrUltima, the users do not get the policy because according to the GMPC, there is no policy defined. Looking under the Group Policy Objects\Password Policy GPO (I created Password Policy), the Settings tab, which gives you an expandable overview of all the policies defined, it litterally says there are No Settings defined (see attached Capture.png image.) If I expand that policy, you can see there settings defined (capture1.png). It is enforced, but even if it were not, I would not expect to see the No settings defined notice.

I do appreciate the help. Any other thoughts?
Capture.PNG
Capture1.PNG
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 33738702
Jason, Mike is correct:

Before you implement password policies in your organization, you need  to understand a little about how password policy configuration  information is stored in Windows 2000, Windows XP, and Windows Server  2003. This is because the mechanisms for storing password policy limit  the number of different password policies you can implement and affect  how you apply your password policy settings.  

There can be only a single password policy for each account database.  An Active Directory domain is considered a single account database, as  is the local account database on stand alone computers. Computers that  are members of a domain also have a local account database, but most  organizations that have deployed Active Directory domains require their  users to log on to their computers and the network by using domain-based  accounts. Consequently if you specify a minimum password length of 14  characters for a domain, all users in the domain must use passwords of  14 or more characters when they create new passwords. To establish  different requirements for a specific set of users, you must create a  new domain for their accounts.
Source: http://technet.microsoft.com/en-us/library/cc875814.aspx

This article will also tell you how to set it up.

Mike, I completely forgot this was 2003 and even if I was thinking 2008, my initial answer was totally wrong.  Thanks for the reminder.

Justin
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33738828
no proglem, One thing  you can do is set the account for password never expires in individual accounts.  So if you did that on that SQL service account for example then it would be excempt from the 45 day password age
Thanks
Mike
 
0
 

Author Comment

by:JasonInDenver
ID: 33738835
Thanks guys. I am still unclear as to why my domain appears to allow this when it is not allowed in 2003. Looking at the OU policies applied, even if they are not enforced, at least the policy is shown in GPMC. As for my serice accounts, the ones that do not change unless we manually change them are all checked to never expire.

This is good information to know.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 33738862
You can physically make a policy change, as you have done, but it won't show up on any machines, which is why your RSOP doesn't show it as viable.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Successful collaboration among team members is essential for the growth of your business. When employees work together on projects, share ideas and communicate effectively they get better results.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question