Make sure you make the changes at the domain policy level, either at the default
domain policy or on the highest GPO in the list for the domain if you have more than
just the default domain GPO. In addition make sure that "block inheritance" is not
configured on the domain controller container. Running the "net accounts" command on
the domain controllers should display what the actual policy is. If you can not
resolve it, then you may have a replication problem within the domain possibly
relating to dns misconfiguration. Looking in Event Viewer on the domain controllers
will usually tell you that in addition to running dcdiag on one or more domain
controllers including the one you changed to policy on. Dcdiag and other extremely
helpful utilities are located on the install cdrom under the support/tools folder
where you have to run the setup there. --- Steve
