Group Policy Not Being Applied??

M

Matt

I'm experiencing several problems with certain group policy objects not being
applied on mainly windows XP pro clients. The first issue with with the
password policy, The password policy has been amended.

Enforce Password History: 20 passwords remembered
Maximum Password Age: 90 days
Minimum Password Length: 7 characters
Password Must Meet Complexity Requirements: Enabled

After testing this on a test PC I have I can change a domain users account
password from within windows to any password providing that there is 7
characters (numeric characters or upper case character are not required).

The other issue is with Outlook 2003. Within the default domain policy I
have specified that the preview pane and auto preview panes are disabled.
This is working on some PC's and not others. (my test machine does not permit
this)

I have noticed on several machines that certain policies are not updating,
this is after forcing a update using GPUPDATE /force and GPRESULT to see what
is actually being applied. On my test machine I cant seem to find anything in
the event log that suggests that the policies are not being applied and no
policy inheritance is blocked on the OU's.

I'm at a dead end and wondered if anyone could shed any light on the situation
 
M

Meinolf Weber [MVP-DS]

Hello Matt,

Make sure that you have enabled following policy for the XP machines:

Computer Configuration, Administrative Templates, System, Logon, in the right
pane "Always wait for the network at computer startup and logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
M

Matt

Thanks for the prompt reply, i ahve enabled this and run a gpupdate /force on
my test machine. this has not made any differance, Please advise
 
F

Florian Frommherz [MVP]

Matt,
I'm experiencing several problems with certain group policy objects not being
applied on mainly windows XP pro clients. The first issue with with the
password policy, The password policy has been amended.

Enforce Password History: 20 passwords remembered
Maximum Password Age: 90 days
Minimum Password Length: 7 characters
Password Must Meet Complexity Requirements: Enabled

After testing this on a test PC I have I can change a domain users account
password from within windows to any password providing that there is 7
characters (numeric characters or upper case character are not required).

I have written up a few things you should look up:
http://www.frickelsoft.net/blog/?p=137

cheers,
Florian
 
M

Matt

I'm a little confused, we are trying to apply the policies on our
workstations and not on the domain controllers. There are loads of changes
which we have made to our group policy as well as outlook and the password
policy (services etc).

I don't want to allow these changes to be inherited by our domain
controllers as this will stop certain services from running and cause huge
problems.

Florian Frommherz said:
Matt,
I'm experiencing several problems with certain group policy objects not being
applied on mainly windows XP pro clients. The first issue with with the
password policy, The password policy has been amended.

Enforce Password History: 20 passwords remembered
Maximum Password Age: 90 days
Minimum Password Length: 7 characters
Password Must Meet Complexity Requirements: Enabled

After testing this on a test PC I have I can change a domain users account
password from within windows to any password providing that there is 7
characters (numeric characters or upper case character are not required).

I have written up a few things you should look up:
http://www.frickelsoft.net/blog/?p=137

cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
 
M

Meinolf Weber [MVP-DS]

Hello Matt,

Password policy MUST be set on domain level. On OU they will not work, when
the machines are in the domain.

Except you have server 2008 with functional level set to 2008, then you have
the option with fine grained password policy to configure different password
settings.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

I'm a little confused, we are trying to apply the policies on our
workstations and not on the domain controllers. There are loads of
changes which we have made to our group policy as well as outlook and
the password policy (services etc).

I don't want to allow these changes to be inherited by our domain
controllers as this will stop certain services from running and cause
huge problems.

Florian Frommherz said:
Matt,
I'm experiencing several problems with certain group policy objects
not being applied on mainly windows XP pro clients. The first issue
with with the password policy, The password policy has been amended.

Enforce Password History: 20 passwords remembered
Maximum Password Age: 90 days
Minimum Password Length: 7 characters
Password Must Meet Complexity Requirements: Enabled
After testing this on a test PC I have I can change a domain users
account password from within windows to any password providing that
there is 7 characters (numeric characters or upper case character
are not required).
I have written up a few things you should look up:
http://www.frickelsoft.net/blog/?p=137

cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german):
http://frickelsoft.net/cms/index.php?page=mailinglist
 
F

Florian Frommherz [MVP]

Matt,
I'm a little confused, we are trying to apply the policies on our
workstations and not on the domain controllers. There are loads of changes
which we have made to our group policy as well as outlook and the password
policy (services etc).

The password policies need to be in a GP that is linked to the domain
level. Best practice is to create a new GPO at domain level, define the
password settings and then order all policies linked to the domain in an
order so that your custom password policy is shown in GPMC as the first
one (on top of the list).
I don't want to allow these changes to be inherited by our domain
controllers as this will stop certain services from running and cause huge
problems.

? I'm not sure if I can follow. I may interprete your posting in two ways:
(1) you have all settings (including pass policy) in one GP and you're
afraid to link it to the domain. That's okay: just create a new GP and
link it to the domain.

(2) you have all settings including the pass policy in one GP and that
policy is linked to the domain. You therefore have blocked inheritance
on the Domain Controllers-OU to have the settings not apply to those. --
that's - sorry to be honest - bad design. Create a OU structure that
allows you link policies more freely. Create a top level OU like "my
corporate clients" and start building a subOU structure just like you
need it. Link the policies you have on domain level there. Put the
password policy to the domain level and stop blocking inheritance at the
DC-OU.

Cheers
Florian
 
M

Matt

Ok, we have re-organised active directory and applied a password policy on
the root.

All of our other OU's have been moved into a new OU called Corporate
Clients, this being the OU with a policy applied that restricts certain
services from starting etc. After running a GPUPDATE /force and rebooting the
machine there does not appear to be any change.

Florian Frommherz said:
Matt,
I'm a little confused, we are trying to apply the policies on our
workstations and not on the domain controllers. There are loads of changes
which we have made to our group policy as well as outlook and the password
policy (services etc).

The password policies need to be in a GP that is linked to the domain
level. Best practice is to create a new GPO at domain level, define the
password settings and then order all policies linked to the domain in an
order so that your custom password policy is shown in GPMC as the first
one (on top of the list).
I don't want to allow these changes to be inherited by our domain
controllers as this will stop certain services from running and cause huge
problems.

? I'm not sure if I can follow. I may interprete your posting in two ways:
(1) you have all settings (including pass policy) in one GP and you're
afraid to link it to the domain. That's okay: just create a new GP and
link it to the domain.

(2) you have all settings including the pass policy in one GP and that
policy is linked to the domain. You therefore have blocked inheritance
on the Domain Controllers-OU to have the settings not apply to those. --
that's - sorry to be honest - bad design. Create a OU structure that
allows you link policies more freely. Create a top level OU like "my
corporate clients" and start building a subOU structure just like you
need it. Link the policies you have on domain level there. Put the
password policy to the domain level and stop blocking inheritance at the
DC-OU.

Cheers
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
 
F

Florian Frommherz [MVP]

Howdie!
All of our other OU's have been moved into a new OU called Corporate
Clients, this being the OU with a policy applied that restricts certain
services from starting etc. After running a GPUPDATE /force and rebooting the
machine there does not appear to be any change.

What doesn't work? The settings with the service restrictions or the
password policy?

Florian
 
M

Matt

The password policy does not appear to be applied on the windows XP
workstation that I'm using to test. The outlook Policies also do not seem to
have be applied.

Florian Frommherz said:
Howdie!
All of our other OU's have been moved into a new OU called Corporate
Clients, this being the OU with a policy applied that restricts certain
services from starting etc. After running a GPUPDATE /force and rebooting the
machine there does not appear to be any change.

What doesn't work? The settings with the service restrictions or the
password policy?

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
 
F

Florian Frommherz [MVP]

Matt,

Matt said:
The password policy does not appear to be applied on the windows XP
workstation that I'm using to test. The outlook Policies also do not seem
to
have be applied.

For the password policy, check whether "Block Inheritance" on the Domain
Controllers OU isn't enabled.
For those outlook settings, log on to a client and check with "RSOP.msc"
whether the policy is applied or not.

Cheers,
Florian
 
M

Matt

When a domain user is attempting to change there password they are presented
with a message saying that the password cannot be changed at this time.

After running rsop.msc I'm presented with the resultant Set Of Policy which
shows a "!" next to Administrator on the It-Test and under Computer
Configuration. This suggests there is an issue although I'm not able to find
the issue.


Florian Frommherz said:
Matt,

Matt said:
The password policy does not appear to be applied on the windows XP
workstation that I'm using to test. The outlook Policies also do not seem
to
have be applied.

For the password policy, check whether "Block Inheritance" on the Domain
Controllers OU isn't enabled.
For those outlook settings, log on to a client and check with "RSOP.msc"
whether the policy is applied or not.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top