GPO won't apply "Password Policy" to DC

  • Thread starter Kevin P. Fleming
  • Start date
K

Kevin P. Fleming

I have a simple network, a W2K3 DC running ADS in Native mode, some WXP
Pro and some W2K Pro workstations.

I want to disable password aging, and password memory. I know that the
Domain Controllers OU has "Block Policy Inheritance" enabled, so rather
than try to make these changes in the Default Domain Policy, I added a
new GPO to the Domain Controllers OU.

In this new GPO I set my Password Policy settings, as well as
eliminating the need for Ctrl-Alt-Del. However, only the CAD setting
takes effect on the DC, the Password Policy settings do not. There are
no other GPOs assigned to this OU, and Block Policy Inheritance is still
enabled for the OU.

Using RSoP in Planning mode, I can see that my Password Policy settings
are applied, with the correct "Source GPO". However, using RSoP in
Logging mode, the Password Policy settings are _not_ applied. I cannot
figure out what it stopping them from being applied, when other settings
from the same GPO _are_ being applied.
 
D

Don Ferguson\(Microsoft\)

Hi Kevin,
The account policies for a domain must be set in a policy linked to the
domain container. (usually the default domain policy)

http://support.microsoft.com/default.aspx?kbid=259576

If you have the account policy settings enabled at the domain level and you
have "Block Policy Inheritance" on the default domain controller OU, I would
not expect those settings to be applied from the domain. However anything
set at the domain controller level would be ignored as well.

http://support.microsoft.com/default.aspx?scid=kb;en-us;269236&Product=win2000

Thanks

Don Ferguson
Microsoft Directory Services Team
 
K

Kevin P. Fleming

Don said:
If you have the account policy settings enabled at the domain level and you
have "Block Policy Inheritance" on the default domain controller OU, I would
not expect those settings to be applied from the domain. However anything
set at the domain controller level would be ignored as well.

http://support.microsoft.com/default.aspx?scid=kb;en-us;269236&Product=win2000
Click to expand...

I didn't realize the "special" nature of the Default Domain Policy
GPO... I really wish Microsoft wouldn't do stuff like that :)

However, since I have other GPOs at the domain level that I do not want
to flow down into the Domain Controllers OU, I think I will instead set
No Override on the Default Domain Policy GPO, which should accomplish
the same thing (as long as I put _only_ password policies into the
Default Domain Policy GPO) and I can leave Block Policy Inheritance set
on the Domain Controllers OU.

Thanks for the pointer to that article, somehow that one didn't come up
in my KB searches today <G>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO Password Policy is applied but not working 4
New GPO are failing 4
Block Policy Inheritance not working as anticipated 4
Domain Password Policy & Blocking Policy Inheritance 10
GPO security settings not applied 4
GP do not take effect 4
Password Policy 4
Password Policy 5

Top