Password Policy Doesn't Take Effect

  • Thread starter Thread starter John LeMay
  • Start date Start date
J

John LeMay

Now it's been a while since I did this, but I recently setup a GPO to
force strong passwords for a bunch of Windows XP machines. So I create the
policy and configure everything, use secedit /refreshpolicy machine_policy
/enforce to refresh, and bounced a test workstation. Nothing. I can still
set a simple password like "123". Makes no sense to me.

This is a very simple environment - two servers, both W2K, both DC's, and
the network is flat.

Any ideas on what I'm missing here?

thanks!

--
John LeMay
kc2kth
Senior Technical Manager
NJMC | http://www.njmc.com | Phone 732-557-4848
Specializing in Microsoft and Unix based solutions
 
There is no "secedit /refreshpolicy... whatever" command on WinXP, it has
been replaced with gpupdate, so you are wrong here.

Then, in which group policy object have you defined the account policy?
Remember that there can be only one account policy for ALL domain user
accounts. Policies affecting OUs other than Domain Conrollers OU will only
apply to the local user accounts created on the computers located in these
OUs, not to domain user accounts located in these OUs.
 
Then, in which group policy object have you defined the account policy?
Remember that there can be only one account policy for ALL domain user
accounts. Policies affecting OUs other than Domain Conrollers OU will only
apply to the local user accounts created on the computers located in these
OUs, not to domain user accounts located in these OUs.
Click to expand...

I'm betting this is the problem. I created a policy for the OU where the
user accounts are.

--
John LeMay
kc2kth
Senior Technical Manager
NJMC | http://www.njmc.com | Phone 732-557-4848
Specializing in Microsoft and Unix based solutions
 
Then, in which group policy object have you defined the account policy?
Remember that there can be only one account policy for ALL domain user
accounts. Policies affecting OUs other than Domain Conrollers OU will only
apply to the local user accounts created on the computers located in these
OUs, not to domain user accounts located in these OUs.
Click to expand...

So now that I've thought about this a bit more, should this exist in the
Default Domain Controllers Policy on the DC OU, or in the Default Domain
Policy at the domain root container?

--
John LeMay
kc2kth
Senior Technical Manager
NJMC | http://www.njmc.com | Phone 732-557-4848
Specializing in Microsoft and Unix based solutions
 
Well, they both affect Domain Controllers OU, with Default Domain
Controllers Policy taking precedence. By default, account and password stuff
specified in the Default Domain Policy.
 
John LeMay said:
Now it's been a while since I did this, but I recently setup a GPO to
force strong passwords for a bunch of Windows XP machines. So I create the
policy and configure everything, use secedit /refreshpolicy machine_policy
/enforce to refresh, and bounced a test workstation. Nothing. I can still
set a simple password like "123". Makes no sense to me.

This is a very simple environment - two servers, both W2K, both DC's, and
the network is flat.

Any ideas on what I'm missing here?

thanks!
Click to expand...

The password policy can only be set on the Default domain policy, it cannot
be overridden in GPOs on OUs.


Arild
 
The password policy can only be set on the Default domain policy, it cannot
be overridden in GPOs on OUs.
Click to expand...

I would say this is where I was confused (well, one place anyhow!). Thanks
Dmitry and Arild for clarifying that.

--
John LeMay
kc2kth
Senior Technical Manager
NJMC | http://www.njmc.com | Phone 732-557-4848
Specializing in Microsoft and Unix based solutions
 
Back
Top