Link to home
Create AccountLog in
Avatar of Matt McGlone
Matt McGloneFlag for United States of America

asked on

Why is group policy not being applied?

A group policy is not being applied to users account. It is our Password policy. Our policy is set to change once per year in this domain. But the password expires randomly between 35-45 days. I have nothing in the event logs of the users computers. All other group policies are being applied.

- (2) DCs running Windows Server 2012R2

- Domain functional Level: Windows Server 2003


In ADUC - user accounts "Password never expires" is not greyed out.  It is still an available check box. 


Any ideas

Avatar of Matt McGlone
Matt McGlone
Flag of United States of America image

ASKER

The policy is Enabled. Security Filtering is set to Authenticated Users. The GPO is linked at the top domain level. Authenticated Users and Domain Users have permission to the GPO.
PasswordPolicy.JPG
Avatar of Amit
Use fine grained password policy.
I have an older proprietary app that requires I keep the domain functional level at Windows Server 2003. I can't upgrade that. Which means I cannot use fine grained. Thanks Amit.
ASKER CERTIFIED SOLUTION
Avatar of Amit
Amit
Flag of India image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Yes I am aware of that. Right now I would be happy just to get the one working.
Sorry to say, it will not work, as that is the limitation from Microsoft. You need to upgrade to supported AD version and use fine grained policies.
Are you saying you can't use a Password Policy in GPO with a functional level set at Windows Server 2003.  Yes you can. It had been working just fine. Thanks
I am afraid I haven't used server 2003 in a long time, but I seem to recall you could only set the password policy using the Default Domain Policy.  Others were ignored. Again, a long time ago, I may be wrong or thinking of server 2000.

You could also try running on a user's PC
gpresult  /H  C:\Temp\AFileName.html
Then open the file and see if it sheds any light on the problem.
@Matt,

To my knowledge, only one password policy will work. I advise you to call Microsoft for more help.
@Amit.  That is my understanding as well, but I think you must use the default domain policy, you cannot create another policy and set it there. In other words you cannot create a policy specific to a single OU.