Domain security policy and GPO

[Gil]

hi,
I still do not know what definitions are stornger the domain security policy
or GPO ???
I need to see that the GPO will be stronger from the GPO, becuase I can NOT
change the password policy to all my domain in the same time.
Here what I have:
Under the domain security policy I have a defnition that the password
minimum length will be 3 letters.
Under the GPO I just created now there is a minimum password length of 5
letters.
NOW I applyed the GPO to a few users, and try to change the password to 3
letters .
I hoped that it will NOT work, and I will get an error saying that I need a
password of 5 letters. BUT, unfortantly the password of 3 letters was good.
So how can I make the GPO becam,e stronger then the domain security policy
????

thanks.

 

[Guest]

Please see reply to your other earlier post "Password Policy - URGENT" in
this same newsgroup ("Windows 2000 Active Directory").

 

[Gil]

Thanks Desmond.
Still I put question over ther as continue to your answer from their.
thanks.

 

[Chriss3 [MVP]]

Hello Gil,
The Password Policy is a domain wide policy, and have to effect all user
accounts within the particular domain. The Password Policy can only be set
at Domain level, and should be set in the Default Domain Policy, or another
Policy at the with the highest priority.

(Please don't post multiple times in the newsgroups)

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Richard G. Harper]

First, just because you create a GPO and apply it to one or more users does
not mean that it's enforced yet. This does not happen instantly. See here:

http://support.microsoft.com/default.aspx/kb/227302

For XP/2003 systems, see here:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Second, I think you have a very basic misunderstanding going on in regard to
GPO and security policies. You keep referring to "making a GPO stronger
than a domain policy" ... well, the "Default Domain Policy" is a GPO object,
the same as any GPO you create. Making one "stronger" than the other is
very simply done though the Active Directory tools available on Windows 2000
Server.

I would strongly suggest that you spend some time at either the MSDN
(http://msdn.microsoft.com/) or TechNet (http://www.microsoft.com/technet)
Web sites studying Active Directory and Group Policy Objects so you can
determine where your problem (if any) lies.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Cary Shultz [A.D. MVP]]

Gil,

Have you resolved your issue yet?

Like everyone has stated - the Password Policy *M*U*S*T* be set at the
Domain level. I would suggest doing it in the Domain Security Policy (
IIRC, a subset of the DDP ).

HTH,

Cary


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com