Password Policy GPO being denied because it's "blank"

mightyquinn889
mightyquinn889 used Ask the Experts™
on
Hello Expert,

I have a WIndows Server 2003 DC,  I created a new GPO to enforce our Password Policy.

I applied it to a test OU and it doesn't work. When I run the RSOP it say's the User Configuraion is denied because it's blank.

Now I understand a User Config needs to be applied to users, and computer config needs to be applied to computers.

Problem is the Password Policy settings are in the Computer Config, so how do you apply them to users in OU's?  Or can you only create a Password Policy in the Default Domain Policy?

Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
Password polices in 2003 for domain user accounts can only be applied at the domain level.  It can be the default domain policy or some people create a separate GPO just for the PW policy.

Thanks

Mike
Sandesh DubeyTechnical Lead
Top Expert 2011
Commented:
If you are cerating new password policy and appling to test OU make sure that the Computer and User for which you are testing is placed in test OU.

Normally the password policy for windows 2003 is appiled in Default domain policy so that the setting will be applied across the domain.

There could be only one passord policy in windows 2003 domain it is the limitation .

In windows 2008 the Fine grained password policy could be applied that is you can have multiple password policy.

Author

Commented:
Thanks Mike,

So I don't want to apply the password policy to the entire domain at one time, so I guess I can create a new domain policy for passwords and block inherentance on the OU's I don't want it to apply to?

Does that sound like a good strategy?
Adam BrownSenior Systems Admin
Top Expert 2010
Commented:
That won't do what you won't. Once a Password Policy is applied to the Domain, it applies to all users in the domain. No way to stop it from applying to certain users in Windows 2003 (You can in 2008, though). In order to have different password policies for different users in 2003, you have to have a separate domain for the users that need a different policy.
Top Expert 2013

Commented:
unfortunately no in 2003 that password policy will apply to all (can't block it).   In 2008 and above there is fine grained passwords that can help (Microsoft introduced that feature based on all this exact demand/request)

There are third party tools like specops that can also help in a 2003 environment.

Thanks

Mike

Author

Commented:
yes I've used the 3rd party Password Policy Enforcer software  http://anixis.com/products/ppe/

and it works great but here we don't have any money budgeted for this...so I guess I'll just have to deploy to the entire domain..

Author

Commented:
Just wanted to update this..there is a workaround..

if you check "Password never expires" on there user account it will override the Domain Password Policy until you uncheck it..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial