mightyquinn889
asked on
Password Policy GPO being denied because it's "blank"
Hello Expert,
I have a WIndows Server 2003 DC, I created a new GPO to enforce our Password Policy.
I applied it to a test OU and it doesn't work. When I run the RSOP it say's the User Configuraion is denied because it's blank.
Now I understand a User Config needs to be applied to users, and computer config needs to be applied to computers.
Problem is the Password Policy settings are in the Computer Config, so how do you apply them to users in OU's? Or can you only create a Password Policy in the Default Domain Policy?
Thanks in advance
I have a WIndows Server 2003 DC, I created a new GPO to enforce our Password Policy.
I applied it to a test OU and it doesn't work. When I run the RSOP it say's the User Configuraion is denied because it's blank.
Now I understand a User Config needs to be applied to users, and computer config needs to be applied to computers.
Problem is the Password Policy settings are in the Computer Config, so how do you apply them to users in OU's? Or can you only create a Password Policy in the Default Domain Policy?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
unfortunately no in 2003 that password policy will apply to all (can't block it). In 2008 and above there is fine grained passwords that can help (Microsoft introduced that feature based on all this exact demand/request)
There are third party tools like specops that can also help in a 2003 environment.
Thanks
Mike
There are third party tools like specops that can also help in a 2003 environment.
Thanks
Mike
ASKER
yes I've used the 3rd party Password Policy Enforcer software http://anixis.com/products/ppe/
and it works great but here we don't have any money budgeted for this...so I guess I'll just have to deploy to the entire domain..
and it works great but here we don't have any money budgeted for this...so I guess I'll just have to deploy to the entire domain..
ASKER
Just wanted to update this..there is a workaround..
if you check "Password never expires" on there user account it will override the Domain Password Policy until you uncheck it..
if you check "Password never expires" on there user account it will override the Domain Password Policy until you uncheck it..
ASKER
So I don't want to apply the password policy to the entire domain at one time, so I guess I can create a new domain policy for passwords and block inherentance on the OU's I don't want it to apply to?
Does that sound like a good strategy?