Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy Object

Status
Not open for further replies.
B1naryPro

B1naryPro

IS-IT--Management
Joined
Jan 20, 2002
Messages
114
Location
US
I have a windows 2000 Server and 2000 workstation. I am trying to setup a password policy GPO. Ex.Password expires in 6 days. I applied the GPO to the particular OU in AD and I chose No override. I have the User ID and computer in the particular OU. I have User Configurations working such as disabling Change Password. I have DNS all correct. I just can't get it to accept the password policy in the computer configuration of the policy. I used gpresult and it is receiving the right GPO from the Domain. Am i missing anything. Appreciate any help. thanks Jimmy
Sys Admin
 
Sort by date Sort by votes
check your Default Domain policy. If you haven't touched it, it probably has values in it that you'll need to disable.
 
Upvote 0 Downvote
Yes i do have a default domain policy. but i have the gpo with no override at the ou level meaning that the default domain policy isn't being applied to my ou. Is this correct??thanks Jimmy
Sys Admin
 
Upvote 0 Downvote
Unfortunately, that's not correct for Account Policies. Remember that a domain is a security zone, and thus is the master of all things account related. You cannot override domain level account policies, even by checking off Block Inheritance.
 
Upvote 0 Downvote
OK,
So then i want to set my password policy in that particular OU and I don't want to effect the rest of my domain. How would I go about doing this? Say for example the password age. I have that set in my GPO in my OU, what would i do with the Default domain policy in order for this to work?? Jimmy
Sys Admin
 
Upvote 0 Downvote
either set the Default Domain policy to "not defined", or make the Default Domain Policy LESS restrictive than the OU.
 
Upvote 0 Downvote
At the default domain policy i do have the password age set to "not defined", so how would i make the default domain pol less restrictive than the ou...appreciate the help Jimmy
Sys Admin
 
Upvote 0 Downvote
so the default domain policy was not defined the whole time?
 
Upvote 0 Downvote
No the default domain policy is not defined with the Password because users on that domain aren't going to be ready for this password change. I wanted to do it by Departments OU's rather than putting this policy in effect for the whole Domain. I basically want to define a password policy just for OU's at this point and not the Domain.
Sorry for the miscommunication. Jimmy
Sys Admin
 
Upvote 0 Downvote
Hmmm...if the Default Domain Policy is not defined, then you shouldn't be having any issues. Can you get a hold of the tools GPRESULT and GPOTOOL? I believe they're resource kit items...
 
Upvote 0 Downvote
Yes i have the gpresult.exe tool and the pc i am working on is telling me that it is receiving security settings from my GPO that I created. So it's not using the default domain policy. The weird thing is that i am able to apply settings to the user configuration for i.e disable change password and that works. but when i use a policy for the computer config. it doesn't work. I have the computer and the user in the OU that is getting my GPO. I just don't understand why it isn't working....hmmmmmmm Jimmy
Sys Admin
 
Upvote 0 Downvote
so what does it say about the password policy? can you see an effective setting? what about other "computer configuration" settings? have you tried to apply any of those and been successful?
 
Upvote 0 Downvote
I have done a computer setting to install a service pack. that worked. it doesn't tell me about the security settings specific. it just tells me the gpo it's using Jimmy
Sys Admin
 
Upvote 0 Downvote
go to one of the workstations and check the local security settings. It should tell you the local value and the effective value for the password policy. Are those the same, or do they match up with any of your policies?
 
Upvote 0 Downvote
Ok the local password policy doesn't sync up with the domain controller policy.
the maximum local setting password age is 42 days and the effective setting is 1 day. so now what?? Jimmy
Sys Admin
 
Upvote 0 Downvote
OK. 42 days is the default for local settings. Now, the question is, where is that 1 coming from? What type of machine are you on when you checked this? Workstation, server, etc...
 
Upvote 0 Downvote
oh very good point it was a server. Jimmy
Sys Admin
 
Upvote 0 Downvote
ITs a member server. Jimmy
Sys Admin
 
Upvote 0 Downvote
i checked on a w2k pro client and it also had the 42 day max password age. I put teh max password age to 1 and in the local security policy of the client it says 1 day for maximum password age is the effective setting but the password doesn't expire???? Jimmy
Sys Admin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rrmcguire
  • Locked
  • Question Question
group policy to set dns
Replies
2
Views
597
rrmcguire
rrmcguire
phil3000
  • Locked
  • Question Question
Screensaver Via Group Policy
Replies
1
Views
396
markdmac
markdmac
cabraun
  • Locked
  • Question Question
Group Policy Question (Set System Variable)
Replies
2
Views
327
markdmac
markdmac
usrinu
  • Locked
  • Question Question
applied wallpaper group policy
Replies
1
Views
317
SamBones
SamBones
djieon
  • Locked
  • Question Question
Scheduled Task - Object 91 Error
Replies
0
Views
263
djieon
djieon

Part and Inventory Search

Sponsor

Back
Top