Group Security Policy not being applied

[Scot Welker]

Running SP4 with AD and after much research finally found out the
security and password policies should be made at the domain level
rather than the ou level. I've set these under the Default Domain
Policy/computer Configuration/Windows Settings/Security
Settings/Password Policy. I run secedit to force them to kick in. I
then go into the gpedit on the workstation side, I can see those same
policies are the effective policy now. I then require a test user to
change their password to follow the new policy SHOULD force them to
use the complexity requirements. Again, I check to make sure the
local gpedit effective policy match what the AD policy dictates. The
user reboots, gets the message to change their password. I have them
just change it to 'dog' to see if the complexity and password length
requirements kick in. Unfortunately sometimes it will bring up a
message the first time that it doesn't meet those requirements. He
presses ok and tries that same simplistic password again and THEN it
allows him to use that password. Sometimes he's able to use the
password without ever getting the complexity requirement message.

Can anyone tell me why this is and where else I can look to resolve
this? Should I reboot servers after making changes like this? That's
the only thing I haven't tried as yet.

Thank you in advance

 

[Herb Martin]

Running SP4 with AD and after much research finally found out the
security and password policies should be made at the domain level
rather than the ou level. I've set these under the Default Domain
Policy/computer Configuration/Windows Settings/Security
Settings/Password Policy. I run secedit to force them to kick in.

Secedit only updates the LOCAL machine -- you must run
it on each client (and use GPUpdate on XP now) or wait
for the update period to kick in.

then go into the gpedit on the workstation side, I can see those same
policies are the effective policy now. I then require a test user to
change their password to follow the new policy SHOULD force them to
use the complexity requirements. Again, I check to make sure the
local gpedit effective policy match what the AD policy dictates. The
user reboots, gets the message to change their password. I have them
just change it to 'dog' to see if the complexity and password length
requirements kick in. Unfortunately sometimes it will bring up a
message the first time that it doesn't meet those requirements. He
presses ok and tries that same simplistic password again and THEN it
allows him to use that password. Sometimes he's able to use the
password without ever getting the complexity requirement message.

Can anyone tell me why this is and where else I can look to resolve
this? Should I reboot servers after making changes like this? That's
the only thing I haven't tried as yet.

Weird -- mine is (irritatingly) consistent.