We help IT Professionals succeed at work.

GPO password policy issue

Hey all, we are running Server 2003 and are having a password issue for our users.

My current GPO settings are in the attached screenshot in a seperate GPO policy, we removed the password policy settings from the default domain policy, so it has its own GPO for the users

Issue is that instead of every 120 days, users are forced to reset passwords every 20-40 days, and it generally only gives a one day notice

Any ideas?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You really should leave the default policies alone. What is your rsop?
can you run gpresult /v and check what policy user are getting.
s ait

Author

Commented:
In default domain policy, the password policy complex requirements is disabled, if that helps

Unfortunately, I only have access to the remote DC to check the GPO server settings, no desktop PC so I can't check that
You can use Group Policy Results from your DC.

gpmc.msc -> Group Policy Results -> <target computer> -> Select a specific user

This should give an idea of what's going on with policies.
s ait

Author

Commented:
Thanks, I tried that but our domain1\administrator account doesn't have permission to the other domain to do this function, and I don't have an account that I can log in to do this with

I can basically check/modify AD and GPO settings for the other domain
s ait

Author

Commented:
Ok, I got access to that domain, RSOP on a user's PC shows that the password policy isn't defined on their PC
s ait

Author

Commented:
In the GPO, under security filtering, it says the GPO can only be applied to the following groups, users, computers

Authenticated Users

I think this is correct?


The OU it is applied to only has the users in it, but not the PCs...since this is a computer config policy, do the PCs need to be in the OU as well?
Authenticated Users is fine. Why not apply this at the domain level since you modified the existing domain password policy?
s ait

Author

Commented:
A gpresult shows this regarding the password policy..it shows this under user settings, not computer settings though?

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Password Policy
            Filtering:  Not Applied (Empty)
That's fine. The settings you applied were only computer policy related hence the Empty comment.
Have tried moving the policy to the domain level?
s ait

Author

Commented:
No, I would rather not do that...I would like to figure out why it's not applying the way it is now

Also, I don't think you can do a password policy under user configuration? It has to be under computer configuration?

Thanks
Link the policy to the computers OU.
s ait

Author

Commented:
And under computer settings in the gpresult, it doesnt show the Password Policy being applied or not being applied
s ait

Author

Commented:
So, you are saying password policies have to be applied to an OU with the computers in it and not the users?
You really should have your password policy at a higher level just as the default policy was originally.

Another workaround would be configuring fine-grained password policies, which will allow you to have multiple password policies in your environment. You can revert your default policies back and apply the custom policy to a specific user or security group.

Would you like to try this?
s ait

Author

Commented:
Thanks, I would rather not do that...I was wondering if password policies need to be applied to OUs with computers in it, and not users?
ThinkPaperIT Consultant

Commented:
motnahpoo is correct - you should be defining the password policy at the ROOT domain level. It looks like the problem is your password policies are not being applied to all the necessary OUs. It should be applied to the OUs with the computers in it (not users).

What does your OU structure look like. Do you have multiple OU's for computers and is there a "root" computer OU?

And you really shouldn't be messing around with the Default Domain Policy.
s ait

Author

Commented:
I need something clarified...the password policy (regardless of location of the policy) needs to be applied to OUs with computers and NOT users?
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Is the primary DC SBS 2003?

Philip
Network Engineer
Commented:
Password policies don't apply to users, they apply to computers. The password policy is a function of COMPUTER security. That's why the settings are under the computer section of the GPO. Furthermore, applying a GPO to set password policy on a computer only affects accounts LOCAL to that computer - local password policies don't affect DOMAIN user accounts, only local user accounts. Assuming that you are using DOMAIN user accounts, applying a password policy to domain members doesn't do anything useful. The only place that applying a password policy affects domain accounts is to apply the policy to the domain Controllers OU. You can create a separate GPO and apply to the Domain Controllers OU, or you can modify the default domain policy. If you create a new GPO, make sure that it has higher priority than the default domain policy, or the default domain policy will win.
Top Expert 2005

Commented:
The post above this one is correct.  Follow his advice and all will be as it should be.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Is the primary DC SBS 2003 as mentioned in the tags?

Philip
s ait

Author

Commented:
No