GPO security settings not applied

  • Thread starter Thread starter Henri Visser
  • Start date Start date
H

Henri Visser

Hi,

I have the following OU & GPO structure:

Domain - Default Domain GPO
|_ Company - Company GPO
|_ Head Office
|_ IT - IT GPO - Enforced - Block Inheritance
|_ Finance
|_ Marketing
|_ etc...
|_ Branch 1
|_ Branch 2
|_ etc...

Default domain GPO has been left as installed.

I have set some security options in the Company GPO. (Password length,
expiry, time before change allowed, etc.)

I have blocked inheritance on the IT OU and created a GPO for the IT OU that
has some security options (password never expires, no minimum time on
password, etc)

My user and computer are both in the IT OU, however when I try to change my
password it appears as if I have the password related settings from the
Company GPO. User settings in the IT GPO (ex. IE settings) etc are applied
correctly.

Any ideas?

Thank you very much

Henri Visser, MCSE 2000
 
Henri Visser said:
Hi,

I have the following OU & GPO structure:

Domain - Default Domain GPO
|_ Company - Company GPO
|_ Head Office
|_ IT - IT GPO - Enforced - Block Inheritance
|_ Finance
|_ Marketing
|_ etc...
|_ Branch 1
|_ Branch 2
|_ etc...

Default domain GPO has been left as installed.

I have set some security options in the Company GPO. (Password
length,
expiry, time before change allowed, etc.)

I have blocked inheritance on the IT OU and created a GPO for
the IT OU that
has some security options (password never expires, no minimum
time on
password, etc)

My user and computer are both in the IT OU, however when I try
to change my
password it appears as if I have the password related settings
from the
Company GPO. User settings in the IT GPO (ex. IE settings) etc
are applied
correctly.

Any ideas?

Thank you very much

Henri Visser, MCSE 2000
Click to expand...

Hi,

Security Settings like Password length etc need to be set at the
Domain Level to be applied. That is what the MS documentation says. It
is not something you can set at the lower OU’s.

That is by design. I haven’t found a way around it yet.

Cheers,

Lara
 
Lara,

I promise that I am not following you!

The Password Policy is indeed set at the Domain - level. I like to use the
Domain Security Policy to set this. You can do this in the Default Domain
Policy if you like.....

However, you can indeed set a password policy at the OU - level! Please
note that this would be set on an OU in which computer account objects
directly reside and would affect only local user accounts ( note: not domain
user account objects! ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
So, what can I do to stop certain users (for example: IT, Directors) from
having the more restrictive security settings that the general domain users
have. Would I have to create an OU above the GPO with the general password
policy?

Thanks

Henri Visser
 
No!

Apparently I was not clear. The Password Policy set at the OU-level applies
only to the local user accounts on the computers that reside directly in the
OU to which the GPO is linked. It has no bearing what-so-ever on the domain
user account objects!!!!!!!

I am going to stop adding this bit of information to questions of this
nature as it just seems to add confusion! I am not sure how or why, but....

If you are going to have a Password Policy in your environment -BUT- there
are going to be certain individuals ( especially higher ups and members of
the IT team ) who will not be subjected to this policy then you might as
well not implement a Password Policy. This is just my opinion. It might do
some good, but you are only as strong as your weakest link. I am not sure
that I can understand why member of the IT Team would have any problem with
having a complex and secure password. I mean, these are the people who
*should* understand the need for this. I can - to a small degree -
understand why the higher ups might balk at this. But they really need to
have complex and secure passwords as well!

I guess that you could always check the 'Password never expires' check box
in the user account objects for those who do not need to be subject to the
Password Policy ( maximum, minimum, etc. ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top