default domain policy, password policy

[Guest]

I made some changes to our default domain policy, password age, min length,
password complexity, lockout duration, invalid attempts, reset acct, and from
the user portion setup a timeout to occur which will lock the desktop. The
user portion of the policy was persistant, but the computer settings kept
being set back to what they were previously. We have a root domain, which
has always had a different policy that the domain whose policy I changed
today, so I know it was being set from the root domain, and we have another
child domain whose password policy is different, and I never had this problem
there when I made changes recently. My understanding of password policies
was there can only be one per domain, so my question is how is this being
overwritten apparently through replication, by some other policy. It wasn't
until I checked the enforced setting that the policy persisted, but I thought
that only applied to downstream policies and that the default domain password
policies trumped any policies below them???

thank you
Bill

 

[Denis Wong @ Hong Kong]

Hi Bill,

Not quite sure about your query, but probably this KB and the associated KBs
may give you some light.

How to configure account policies in Active Directory
http://support.microsoft.com/default.aspx?scid=kb;en-us;255550&sd=tech

br,
Denis

 

[Guest]

i appreciate the article, but that's not exactly what I was looking for. My
default domain policy's computer settings, (min password length, lockout
duration, etc.) kept being set back to their old settings a few minutes
after modifying them. It wasn't until I checked the enforced checkbox on the
gpo that the default domain policy computer settings remained changed
permanently. I don't understand why checking the enforced box fixed the
problem, or why it was a problem to begin with.

thank you,
Bill