gpo

  • Thread starter Thread starter concern
  • Start date Start date
C

concern

I ahve several issue. I am trying to use via group policy
the password complexity policy for my users. Rather than
just implementing the policy i tried to create a
container and place my desktop in the container to try
and test the policy. It did not work. Is there a way I
can tell why this policy is not working. Since this is a
computer setting and not a user I can only assume it does
not matter if I am logging on with a user account or not.
 
The password complexity settings are part of the account security policies.
The account security policies are special in the way they are interpreted by
client computers and domain controllers.

If you want to apply account security policy to domain account (as opposed
to local machine user account), then you have to make modification in the
Default Domain Policy.

If you want to apply account security policy to local machine user accounts,
then you need to create new GPO and link it to OU with computers that you
want to be affected by this policy.

So what you did is you changed local users. It doesn't affect domain users
logging on the same machines.
 
Vsevolod brought up some great points here, the only thing I wanted to
stress (that he had already mentioned) is that Password policies only apply
at the Default Domain Policy level, this is why your policy is not applying.

More info:

Domain logons account policy is applied at the domain level to
machines and not to users. OU policies are only applied if the user logs on
to the
local machine, and not on to the domain.

By way of explanation, policies are enforced as follows:


1. Domain policy / user logging on to domain. Domain security policy is set
for
expiration - "Maximum Password Age"
There is only one policy that can be applied in this scenario - the default
domain
policy.

2. OU policy / user logging on to local machine. OU Policy is set for
expiration -
"Maximum Password Age"
This bypasses the default domain policy, but is only for local logon. You
could
have seperate OU's but, again, this is only for local logon. Users logging
on to
the domain will receive the default domain policy.

3. Local account logon / No OU or domain policy, or machine is in a
workgroup
rather than a domain.
This is the default local machine password policy only.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Password policies only apply to domain user accounts if the policy is linked
to the domain container.
 
Back
Top