GPO security settings not applied

H

Henri Visser

Hi,

I have the following OU & GPO structure:

Domain - Default Domain GPO
|_ Company - Company GPO
|_ Head Office
|_ IT - IT GPO - Enforced - Block Inheritance
|_ Finance
|_ Marketing
|_ etc...
|_ Branch 1
|_ Branch 2
|_ etc...

Default domain GPO has been left as installed.

I have set some security options in the Company GPO. (Password length,
expiry, time before change allowed, etc.)

I have blocked inheritance on the IT OU and created a GPO for the IT OU that
has some security options (password never expires, no minimum time on
password, etc)

My user and computer are both in the IT OU, however when I try to change my
password it appears as if I have the password related settings from the
Company GPO. User settings in the IT GPO (ex. IE settings) etc are applied
correctly.

Any ideas?

Thank you very much

Henri Visser, MCSE 2000
 
L

lforbes

Henri Visser said:
Hi,

I have the following OU & GPO structure:

Domain - Default Domain GPO
|_ Company - Company GPO
|_ Head Office
|_ IT - IT GPO - Enforced - Block Inheritance
|_ Finance
|_ Marketing
|_ etc...
|_ Branch 1
|_ Branch 2
|_ etc...

Default domain GPO has been left as installed.

I have set some security options in the Company GPO. (Password
length,
expiry, time before change allowed, etc.)

I have blocked inheritance on the IT OU and created a GPO for
the IT OU that
has some security options (password never expires, no minimum
time on
password, etc)

My user and computer are both in the IT OU, however when I try
to change my
password it appears as if I have the password related settings
from the
Company GPO. User settings in the IT GPO (ex. IE settings) etc
are applied
correctly.

Any ideas?

Thank you very much

Henri Visser, MCSE 2000
Click to expand...

Hi,

Security Settings like Password length etc need to be set at the
Domain Level to be applied. That is what the MS documentation says. It
is not something you can set at the lower OU’s.

That is by design. I haven’t found a way around it yet.

Cheers,

Lara
 
C

Cary Shultz [A.D. MVP]

Lara,

I promise that I am not following you!

The Password Policy is indeed set at the Domain - level. I like to use the
Domain Security Policy to set this. You can do this in the Default Domain
Policy if you like.....

However, you can indeed set a password policy at the OU - level! Please
note that this would be set on an OU in which computer account objects
directly reside and would affect only local user accounts ( note: not domain
user account objects! ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
H

Henri Visser

So, what can I do to stop certain users (for example: IT, Directors) from
having the more restrictive security settings that the general domain users
have. Would I have to create an OU above the GPO with the general password
policy?

Thanks

Henri Visser
 
C

Cary Shultz [A.D. MVP]

No!

Apparently I was not clear. The Password Policy set at the OU-level applies
only to the local user accounts on the computers that reside directly in the
OU to which the GPO is linked. It has no bearing what-so-ever on the domain
user account objects!!!!!!!

I am going to stop adding this bit of information to questions of this
nature as it just seems to add confusion! I am not sure how or why, but....

If you are going to have a Password Policy in your environment -BUT- there
are going to be certain individuals ( especially higher ups and members of
the IT team ) who will not be subjected to this policy then you might as
well not implement a Password Policy. This is just my opinion. It might do
some good, but you are only as strong as your weakest link. I am not sure
that I can understand why member of the IT Team would have any problem with
having a complex and secure password. I mean, these are the people who
*should* understand the need for this. I can - to a small degree -
understand why the higher ups might balk at this. But they really need to
have complex and secure passwords as well!

I guess that you could always check the 'Password never expires' check box
in the user account objects for those who do not need to be subject to the
Password Policy ( maximum, minimum, etc. ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Some parts of Windows 2008 GPO not applied for some users 1
GPO Password Policy is applied but not working 4
GPO won't apply "Password Policy" to DC 2
GPO settings are not applied 2
Loopback Processing with Security Groups (No separate OU) 1
GPO not applying to child OU's 0
Block Policy Inheritance not working as anticipated 4
Help needed with W2K3 Group Policy not being applied at user logon 11

Top