Windows 2003 GPO's in a domain not applied

[Mark]

Hello folks,
Apologies if this is off-topic for this group since it's not windows
2000, but I could not find a better matching group.

I'm running into the following problem, and I hope someone here can help me:

I'm working with a windows server 2003 with windows xp workstations.
I have 2003 being the PDC for the single domain that is defined, and
have set up GPO's for this domain:
- a default domain policy with all settings for everyone
- a general user password policy
- a network admin password policy (tighter restrictions)

Now, all the GPO's are defined and linked to the domain, but if I use
profile modeling to check the used GPO's for certain accounts the
problem I see is this:
- the default domain policy is applied to everyone
- the password policies that I created are denied. The reason is "Empty"

The policies aren't empty, they have settings in them, so maybe "Empty"
means something else but... I can't find any documentation anywhere
about this problem or reason, not even in MS technet. I have tried
enforcing, I have tried several ways of linking, and nothing works. I
keep getting the GPOs "denied" because of "Empty". The proverbial brick
wall I'm banging my head against. I must be overlooking something simple.

So.. anyone have any ideas? I really could use the help.

 

[Guest]

Hello Mark!

The password policies are unique for a domain, so if the default policy has
any configuration about passwords, it will be the only one applied!!
To configure different password policies you should have different domains

I hope it helps you!

Best Regards,
Xeen

"Mark" escribió:

 

[Mark Straver]

Hello Xeen,

It makes no difference if I have a password policy defined in the
default domain policy or not.

But if what you say is true, it means it would be impossible to have
several different groups of users with a more lenient or stricter
password policy? That's insane... It would also make the ability to
supply password policies in other GPO's pretty useless to have, but
still it's possible to define them...

Is there no workaround for this?

Mark.

 

[Guest]

Hello again Mark!

I'm sorry, but it's the only way to work with it. One of the reasons to
creat a child domain is the password policy, if you need a different password
policy you must create a new domain.
Have a look on your policies, if you've configured passwords settings, you
can have conflicts in the application of the policies.
Have in mind that if you want to configure other settings on the policy you
should set the security in any way that the specified users has the read and
apply rights

I hope it will help you

Best Regards
Xeen

"Mark Straver" escribió:

 

[Mark Straver]

Thank you for your help,

I'm not happy about this severe restriction but if it's a hard rule then
there's nothing to do about it. We'll just have to make sure the very
small group of network administrators enforce the stricter policy
themselves.

I don't want to poke at the hornet's nest of creating a child domain and
possibly compromising an otherwise perfectly working setup.

Cheers,

Mark.

 

[ANIXIS]

Mark, there are third-party products that allow you to enforce multiple
password policies. Our one is called Password Policy Enforcer, and it
allows you to assign policies to users, groups, and OUs. PPE also
allows you to enforce much stronger password policies than the Windows
rules.

http://www.anixis.com/products/ppe/features.htm

 

[Mark Straver]

Nice sales pitch Sorry, I'm not interested in spending a minimum of
$200 on a simple tool. Besides, the complexity standards of win 2k3 are
more than sufficient, you don't want to enforce people to use more than
three different character groups of the 5.

 

[ANIXIS]

Besides, the complexity standards of win 2k3 are more than sufficient,
you don't want to enforce people to use more than three different
character groups of the 5.

Password5$ meets the Windows 2003 complexity requirements, but LC5 with
default settings cracks it in under one second.