Policies not being applied

  • Thread starter Thread starter Scott Sprigel
  • Start date Start date
S

Scott Sprigel

I have a Windows 2000 AD server, and about 35 XP Pro
workstations in the domain. I set a group policy on an
organizational unit in AD, and put all the users in that
OU. The user portion of the policy is working fine, but
the computer portion doesn't work at all. Specifically,
I've tried to change password expiration, account lockout,
and offline folder settings, none of which work at all.
Please give me some ideas as to why this is happening and
how I can resolve it. I read some articles, I've used the
gpupdate program on the xp side, and I've used the
scedit /refreshpolicy on the dc side, but nothing is
helping.

Thanks,

Scott
 
Scott,

Did you also move the computer accounts to that OU? In order for the
computer configuration portion to be applied, the computers need to be under
that OU. Also the password policies need to be set in the default domain
security policy. When you set them in a GPO at the OU level they are mostly
ignored (except for locally created accounts).

Kevin Mattson, MCSE
www.deploy-tech.net
 
Scott,

Kevin is correct. The machines have to be in the OU as well, but some of the
policies you mention are indeed only policies that can be set at the domain
level. Setting them at an OU level has no effect.

Password policies are Domain settings only (or Local policy if a stand alone
machine).


Scott,

Did you also move the computer accounts to that OU? In order for the
computer configuration portion to be applied, the computers need to be under
that OU. Also the password policies need to be set in the default domain
security policy. When you set them in a GPO at the OU level they are mostly
ignored (except for locally created accounts).

Kevin Mattson, MCSE
www.deploy-tech.net
 
I considered that the computer needed to be in the ou, so
I moved one there for testing purposes, but it made no
difference. I also played with the no override setting as
well as the block inheritance. None of those settings made
a difference, though it sounds like they should solve your
second point. What do you mean by locally created accounts
(are these accounts on the server when logged on
directly)? I have one domain, one dc, and this ou in on
that dc. If I understand you correctly, I can't really set
different global policies by ou, only by domain?

Thanks so much for your prompt response.

Scott
 
So, if I can create a policy in an ou and it offers me a
setting that has no effect, how am I supposed to know that
it is useless, and I shouldn't spend so many hours trying
to figure out why it doesn't work? Sorry, here's a nicer
way of saying the same thing. Where can I find some
reference material that will tell me what settings are not
effective at certain levels (ou, domain, local etc.)

Thanks,

Scott
 
Hi Scott,

Here is some info on the password policy:

269236 Changes Are Not Applied When You Change the Password Policy
http://support.microsoft.com/?id=269236

Thank you,

Bruce Hethcote
Microsoft Platforms Support
Directory Services Team

Please do not send e-mail directly to this address. This address is for
newsgroup purposes only. Please reply to the group instead.
 
Back
Top