Group Policy Object

[B1naryPro]

I have a windows 2000 Server and 2000 workstation. I am trying to setup a password policy GPO. Ex.Password expires in 6 days. I applied the GPO to the particular OU in AD and I chose No override. I have the User ID and computer in the particular OU. I have User Configurations working such as disabling Change Password. I have DNS all correct. I just can't get it to accept the password policy in the computer configuration of the policy. I used gpresult and it is receiving the right GPO from the Domain. Am i missing anything. Appreciate any help. thanks Jimmy
Sys Admin

 

[brontosaurus]

Member servers should accept policy same as a workstation. You need to find out where that 1 is coming from. Are there any other machines in this OU that you can check? I must be missing something...

 

[B1naryPro]

that is the only pc in that ou. Here is another thought. On that member server, In the local security policy it is taking the local setting over the effective setting. why is that, domain should have precedence over local. Correct?? Jimmy
Sys Admin

 

[brontosaurus]

That's correct. I'm realizing now that I wasn't as concise as I should have been when talking about account policies. If I wasn't clear, the account policy for domain members must be set at a GPO linked at the domain level only. It cannot be set on a GPO linked at an OU, although you can set account policy for LOCAL workstation accounts at the OU or site level. I don't know if that helps at all, I just needed to clarify. So, when you set your account policy on that OU, it should have had an effect on LOCAL accounts, but not domain accounts.

 

[B1naryPro]

Ok it clarifies it better. What would you recommend in getting this password policy propagated to just the OU level's rather than the domain level?? I guess i'm going to need to learn how to link the ou gpo to the domain gpo. thanks again Jimmy
Sys Admin

 

[brontosaurus]

I don't think that you can just propagate to specific OU's, it's the whole domain or bust when it comes to account policies. And OU's are already "linked" to domain GPO's simply by being a member of the domain. The difference being that with all other aspects of the domain GPO you can Block Inheritance at the OU level, just not the account stuff. I don't know if this would work (probably not), but maybe if you leave the domain account policies undefined, you could create an "un-linked" GPO, edit it how you like, and link an OU to it? I'm just babbling, that shouldn't work either...

 

[B1naryPro]

what a nightmare with this gpo stuff. What i should is, add the password policy to the existing default domain policy and then block inheritance on all the OU's that i don't want to have that password policy, but then it's blocking all the other stuff that i have in the default domain policy, like log on locally etc...UGGGhh. so brontosaurus what is your background as far as tech goes?? Jimmy
Sys Admin

 

[brontosaurus]

I have broken many things for many years and learned how to fix them...
Unfortunately, it's mostly been for large financial firms!