RSoP doesn't show correct Password settings

[OregonSteve]

Greetings-

Three DCs; 500 XP Pro workstations. Started getting a password expiration notice. Discovered the setting is in the Local Security Policy. But when I do an RSoP on the workstation, it doesn't show this information. Why?

Additionally, the Maximum Password Age isn't being reported correctly either.

It was initially defined by GPO "A" in Active Directory. We decided to break it out to its own policy, GPO "B". Even though the settings from GPO "B" are the effective ones, an RSoP reports that the ones in place are from the old GPO "A". Can someone help me understand this a bit better.

Thanx
OregonSteve

"..You should never, never doubt what nobody is sure about." -Willy Wonka

 

[Loki1973]

Security GPO's are applied ONLY on the DOMAIN level.

If a GPO with those settings is linked to an OU it will apply only to the LOCAL policy, but is overruled by the domain policy.

Bear this in mind.

 

[OregonSteve]

Greetings-

Thank you, but I don't believe this addresses my issue. The 14 day notice is set on the Local Security Policy, on the workstations. But running an RSoP doesn't reflect this; On the contrary, RSoP doesn't report ANY GPO as governing the setting to notify users prior to password expiration. Is the Local Security Policy supposed to be excluded when running an RSoP?

Also, RSoP reports an old policy that governed password settings as being the currently effective Policy.

The policies are working, it's the RSoP that's not reporting correctly (in my estimation).

Thanx
OregonSteve

"..You should never, never doubt what nobody is sure about." -Willy Wonka

 

[Loki1973]

RSoP will only report changes to the default behaviour of the system.

14 days is a system default is therefor never logged in RSoP. I'm unsure if it WOULD report it when you change the setting locally. I guess not.

 

[monsterjta]

I've always heard it to be best practice to keep password policies in the default domain policy, however I have went against this for testing purposes in the past.

Did you try enforcing the newly created password policy at the OU level? Or, disable the default domain policy (not recommended)? Also, make sure your password policy GPO is higher in the list at whatever OU you want it to apply.

Of course, we all know that Domain Policies always apply after local policies...so that shouldn't be an issue.

Hope this helps...

 

[OregonSteve]

UPDATE!!! I've gotten the workstation to report the correct information...by changing the settings in the old GPO to Undefined and then performing a GPUPDATE.

The password expiration notice is still set in the Local Security Policy, however, and I'm not sure how I'm going to "move" this setting to an AD GPO.

Thanx
OregonSteve

"..You should never, never doubt what nobody is sure about." -Willy Wonka

 

[monsterjta]

Whenever a policy setting is set to not defined, any other policy in the chain of application will take precedence if it is defined. In this case, the ONLY other place this is define is apparently in the local security policy. You must define it elsewhere in AD policy. Create a GPO and call it password_policy. Define your password policies there, including your grace period (which is defined by the max age...there's a formula there which I can't recall off hand...easily searchable). Try linking this new password_policy GPO to the OU in which contains the computers you want it to affect. Run GPUPDATE /FORCE (possibly requires reboot). Run GPRESULT and reap the rewards. Remember to keep this GPO higher in the applied list in said OU than your Default Domain Policy. If not desired results, enforce the link and be sure you're not blocking enheritance. I hope you're using GPMC, as it's MUCH easier to organize your policies than kickin' it old school.

Good Luck!