Announcement

Collapse
No announcement yet.

GPO not applying

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO not applying

    I want to set up a Test Accounts AD group to allow a shorter password than the default domain policy but I cannot get it to work.

    Any ideas? Here is what I have done....

    I created a "XYZco_Users_Test" OU, created a "Test Users" AD global group in the new OU, added a handful of test users to the new group. Then I created a "Test Accounts Password Policy" GPO for the new OU and set the password length shorter than the corp standard, scope Security Filtering lists only the Test Users group. Default Domain Policy is not enforced. I also ran gpudate ona DC.

    When I try to set a test users account AD User mgr complains it's too short for the policy

    When I run Group Policy Modeling in GPMC, under the User Config section it shows the Default Domain Policy and Test Accounts policy under Denied GPOs, the reason shown is "empty". I assume this is because the password policy settings are Computer Settings not User

  • #2
    Re: GPO not applying

    I think you needn't deploy GPO. U can deploy in Domain Security Policy,all user in your domain will accept with policy of you!
    Domain controller security policy can't fix password!
    Last edited by rendom; 12th January 2008, 07:06.

    Comment


    • #3
      Re: GPO not applying

      Passwords (and some other security policies) are only applied at Domain and Local level, not at site or OU level.

      Your OU password policy will be ignored, only the domain level password policy will be applied.

      Your solutions are:
      2 domains, one per password policy
      or
      Something complex with multiple domain level password policies and GPO filtering based on group membership

      Why do you need multiple password policies?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: GPO not applying

        Now in windows 2008 you can apply password policies at OU level also.

        Regards,
        Kapil Sharma
        ~~~~~~~~~~~~~
        Life is too short, Enjoy It.

        Comment


        • #5
          Re: GPO not applying

          Thanks for the heads up everybody. Now it makes sense.

          The reason I wanted shorter passwords is we are revising security policies in our ERP app for SOX compliance, need to have 20 or so temporary test accounts so we aren't messing with production accounts. The names were to be short and easy, e.g. test5, we wanted the password to match the test account name for simplicity, but that's just not going to happen so we will have longer passwords.

          Thanks everyone that replied
          Mike S

          Originally posted by Ossian View Post
          Passwords (and some other security policies) are only applied at Domain and Local level, not at site or OU level.

          Your OU password policy will be ignored, only the domain level password policy will be applied.

          Your solutions are:
          2 domains, one per password policy
          or
          Something complex with multiple domain level password policies and GPO filtering based on group membership

          Why do you need multiple password policies?

          Comment


          • #6
            Re: GPO not applying

            Originally posted by kapilsharma11 View Post
            Now in windows 2008 you can apply password policies at OU level also.

            Regards,
            Interesting.... One less reason to create multiple domains.

            Mike,
            I normally use something like "Pa55word" (or the MS favourite of "Pa$$w0rd") when I want an "easy" complex password for test purposes
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: GPO not applying

              Specops Password Policy enables multiple passwords to be in a single domain environment, I suppose for testing purposes you could download the trial from http://www.specopssoft.com/products/...asswordpolicy/
              MCSA 2000/2003

              Comment

              Working...
              X