Block Policy Inheritance not working as anticipated

G

Guest

I have a Domain Controller running Windows 2000 Server. The Domain container (root) has a GPO (Default Domian Policy) with password policies defined (complexity, history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default Domain Controllers Policy). This policy does not have any password policies defined.

Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts. I have one GPO set for this OU which does not have any password policies defined. I have selected the check box for "Block Policy Inheritance" under the Group Policy tab of the EM Mailbox properties.

I expected this to block the password policy settings from GPO on the Domain Container (root), but it has not worked. On the Domain Controller I have issued the following command after selecting the Block Policy Inheritance check box:

secedit /refreshpolicy machine_policy /enforce

I also restarted the Domain Controller after issueing the secedit command above.

I am still unable to create a new user account in the EM Mailbox OU without being subject to the password policies set in the GPO associated with the Domain Container (root). I need to be able to create the new user account using a password that does not meet all the password requirements set in the Domain Container's GPO.

Does anyone have any suggestions?

Thanks in advance!!
 
S

Steven L Umbach

Password/account policy for domain users can only be configured at the domain level,
and any attempts to bypass it will not work. Think of it as having a permanent no
override applied to it. You would have to create another domain to have different
password/account policy. You can configure AD accounts to "not expire" in account
properties to bypass the password age setting if that helps. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

bottomfeeder said:
I have a Domain Controller running Windows 2000 Server. The Domain container
Click to expand...
(root) has a GPO (Default Domian Policy) with password policies defined (complexity,
history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain
Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default
Domain Controllers Policy). This policy does not have any password policies defined.
Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts.
Click to expand...
I have one GPO set for this OU which does not have any password policies defined. I
have selected the check box for "Block Policy Inheritance" under the Group Policy tab
of the EM Mailbox properties.
I expected this to block the password policy settings from GPO on the Domain
Click to expand...
Container (root), but it has not worked. On the Domain Controller I have issued the
following command after selecting the Block Policy Inheritance check box:
secedit /refreshpolicy machine_policy /enforce

I also restarted the Domain Controller after issueing the secedit command above.

I am still unable to create a new user account in the EM Mailbox OU without being
Click to expand...
subject to the password policies set in the GPO associated with the Domain Container
(root). I need to be able to create the new user account using a password that does
not meet all the password requirements set in the Domain Container's GPO.
 
G

Guest

After posting this question I browsed other posts relevant to my own and found my answer:

Password policies are per domain only. This ensures that a domain will have a consistent policy across all users, thus not putting it at risk by allowing possibly weaker passwords in a portion of the domain.

It would appear that there is no way around this. If there happens to be a solution, I would appreciate hearing about it.

Thanks!!!
 
G

Guest

Thanks Steve.

Steven L Umbach said:
Password/account policy for domain users can only be configured at the domain level,
and any attempts to bypass it will not work. Think of it as having a permanent no
override applied to it. You would have to create another domain to have different
password/account policy. You can configure AD accounts to "not expire" in account
properties to bypass the password age setting if that helps. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255550


(root) has a GPO (Default Domian Policy) with password policies defined (complexity,
history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain
Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default
Domain Controllers Policy). This policy does not have any password policies defined.
I have one GPO set for this OU which does not have any password policies defined. I
have selected the check box for "Block Policy Inheritance" under the Group Policy tab
of the EM Mailbox properties.
Container (root), but it has not worked. On the Domain Controller I have issued the
following command after selecting the Block Policy Inheritance check box:
subject to the password policies set in the GPO associated with the Domain Container
(root). I need to be able to create the new user account using a password that does
not meet all the password requirements set in the Domain Container's GPO.
Click to expand...
 
G

Guest

have oyu got no override selected? if so uncheck it
-----Original Message-----
After posting this question I browsed other posts relevant to my own and found my answer:

Password policies are per domain only. This ensures that a
Click to expand...
domain will have a consistent policy across all users, thus
not putting it at risk by allowing possibly weaker
passwords in a portion of the domain.
It would appear that there is no way around this. If
Click to expand...
there happens to be a solution, I would appreciate hearing
about it.
Thanks!!!
Click to expand...
The Domain container (root) has a GPO (Default Domian
Policy) with password policies defined (complexity,
history, length and age). Below the Domain container I
have 3 OUs (Accounts, Domain Controllers and Groups). Only
the Domain Controllers OU has it's own GPO (Default Domain
Controllers Policy). This policy does not have any
password policies defined.that contains User accounts. I have one GPO set for this
OU which does not have any password policies defined. I
have selected the check box for "Block Policy Inheritance"
under the Group Policy tab of the EM Mailbox properties.from GPO on the Domain Container (root), but it has not
worked. On the Domain Controller I have issued the
following command after selecting the Block Policy
Inheritance check box:Mailbox OU without being subject to the password policies
set in the GPO associated with the Domain Container (root).
I need to be able to create the new user account using a
password that does not meet all the password requirements
set in the Domain Container's GPO.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain Password Policy & Blocking Policy Inheritance 10
GPO won't apply "Password Policy" to DC 2
GPO Password Policy is applied but not working 4
Assistance Please - Policy Order Doesn't Seem To Work Out Right. 1
Changes to Domain Policy not enforced 1
GP do not take effect 4
Default Domain Policy -- Password Changes 1
password local policy in domain 2

Top