GPO will not stick- tryng to change AD password policy.

Home Forums Microsoft Networking and Management Services GPO GPO will not stick- tryng to change AD password policy.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    JDMils
    Member
    #128385

    We have decided to change the password policy for the group, but first we need to setup a test.

    Our Default Domain Policy has the Password Policy settings set to:

    Quote:
    New Enhanced Password
    The new enhanced password will require the following components to meet the new format.

    Passwords will remain at minimum 8 character length
    Passwords must not contain all or part of user’s account name
    Contain characters from three of the following four categories
    English uppercase characters (A through Z)
    English lower-case characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphanumeric (special !,$,%,#) character

    I created a new GPO (“[ALL] Enforce Complex Passwords”) who’s scope was OU-specific (“Hobart”) and Security Filtering set to an AD group called “gGpl_Complex_Password_Test_Users” with the new Complex password settings:

    Quote:
    Computer Configuration (Enabled)hide
    Windows Settingshide
    Security Settingshide
    Account Policies/Password Policyhide
    Policy Setting
    Enforce password history 6 passwords remembered
    Maximum password age 45 days
    Minimum password age 30 days
    Minimum password length 8 characters
    Password must meet complexity requirements Enabled

    Account Policies/Account Lockout Policy

    For some reason, the new GPO would not take effect. I thought that maybe the DDP was overwriting the new GPO since it was higher in the Domain tree, so I cut out the settings from the DDP and created a new GPO (“[ALL] Password Policy (To be phased out)”) with the same settings, applying it to all OUs, thus imitating the settings as they were in the DDP.

    The “Hobart” OU contains many computers and users, but I only want the users in this OU andin this group “gGpl_Complex_Password_Test_Users” to experience the new GPO.

    On my test PC, here’s the result of GPResult:

    Quote:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:Documents and Settingsjuliantest>gpresult

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 22/10/2007 at 4:02:31 PM

    RSOP results for SCLjuliantest on JULIANTEST : Logging Mode



    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: SCL
    Domain Type: Windows 2000
    Site Name: Clayton
    Roaming Profile:
    Local Profile: C:Documents and Settingsjuliantest
    Connected over a slow link?: No

    COMPUTER SETTINGS


    CN=JULIANTEST,OU=Computers,OU=Lightly Managed,OU=TestSiteOU,DC=scl,DC=signet,DC=com,DC=au
    Last time Group Policy was applied: 22/10/2007 at 3:44:21 PM
    Group Policy was applied from: cla-dc1.scl.signet.com.au
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects


    [ALL] Password Policy (To be phased out)
    Default Domain Policy
    Applications – WA Time Zone Fix (Computer)

    The following GPOs were not applied because they were filtered out


    Redirected Folders (User)
    Filtering: Disabled (GPO)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:


    BUILTINAdministrators
    Everyone
    BUILTINUsers
    NT AUTHORITYNETWORK
    NT AUTHORITYAuthenticated Users
    JULIANTEST$
    Domain Computers

    USER SETTINGS


    CN=JulianTest,OU=Users,OU=Lightly Managed,OU=TestSiteOU,DC=scl,DC=signet,DC=com,DC=au
    Last time Group Policy was applied: 22/10/2007 at 4:01:42 PM
    Group Policy was applied from: cla-dc1.scl.signet.com.au
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects


    Default Domain Policy
    Redirected Folders (User)

    The following GPOs were not applied because they were filtered out


    [ALL] Enforce Complex Passwords
    Filtering: Not Applied (Empty)

    Allow Access to MMC Author Mode (User)
    Filtering: Denied (Security)

    Applications – WA Time Zone Fix (Computer)
    Filtering: Disabled (GPO)

    [ALL] Password Policy (To be phased out)
    Filtering: Disabled (GPO)

    Enable Access to USB Storage Devices (Computer)
    Filtering: Disabled (GPO)

    Local Group Policy
    Filtering: Not Applied (Empty)

    Allow File and Printer Sharing for Windows XP Firewall Policy (Computer)
    Filtering: Disabled (GPO)

    The user is a part of the following security groups:


    Domain Users
    Everyone
    BUILTINUsers
    BUILTINAdministrators
    REMOTE INTERACTIVE LOGON
    NT AUTHORITYINTERACTIVE
    NT AUTHORITYAuthenticated Users
    LOCAL
    gSec_ISA_Proxy_Clayton_Allow
    gShr_DAN-SRVLN_D$
    gShr_CLA-SRV_Scanning_Finance_Read
    gSec_ISA_Proxy_All_Sites_Allow_Media
    gApp_Altiris_Altiris Guest
    Domain Admins
    gSec_ISA_Proxy_All_Sites_Allow
    gShr_DAN-SRVLN_Scanning_Change
    gGpl_Complex_Password_Test_Users
    gSec_ISA_Proxy_Croydon_Allow
    gSec_ISA_Proxy_Special_Access_Websites_Allow
    gShr_CLA-SRV_IT_Change
    lShr_DAN-SRVLN_D$
    lSec_ISA_Proxy_Clayton_Allow
    lSec_ISA_Proxy_Croydon_Allow
    lSec_ISA_Proxy_All_Sites_Allow

    C:Documents and Settingsjuliantest>

    Can someone pls tell me why the Computer settings are not applying? I even tried to Enforce the “[ALL] Enforce Complex Passwords” GPO without success….. :cry:

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.