Regardless of where you apply this policy, if a workstation is within scope
the local policy will be configured to that of the GPO.
Providing you've set this on the Default *Domain* Policy (not default domain
controllers policy), and there isn't a GPO above this GPO in the processing
order (but linked to the domain) then it sounds like the policy isn't being
applied to the DCs.
Have you configured no override on the Domain Controllers OU?
Have you filtered the policy so that the DCs don't apply it?
Have the permissions on the GPO and/ or SYSVOL being modified so that some
machines (the DCs) can't read the policy?
Are there any warnings or errors in the event logs on the DCs pointing to
policy not applying? Specifically userenv and scecli events?
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
Then you are not modifying Default domain policy. Try running gpupdate on
server and change a password...
I am editing the default domain policy and gpupdate is an xp command to
replace secedit.
Secedit being the command I ran on the server.
Also, the local policy of my servers is showing complex passwords being
enabled and if I change a LOCAL user, on a stand alone system, it will
enforce complex passwords.
BUT, if I change a password from the workstation wont care, it enforces
the other policies that have been there, length and history, but not
complex.
