Announcement

Collapse
No announcement yet.

GPO will not stick- tryng to change AD password policy.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO will not stick- tryng to change AD password policy.

    We have decided to change the password policy for the group, but first we need to setup a test.

    Our Default Domain Policy has the Password Policy settings set to:
    New Enhanced Password
    The new enhanced password will require the following components to meet the new format.

    Passwords will remain at minimum 8 character length
    Passwords must not contain all or part of user’s account name
    Contain characters from three of the following four categories
    English uppercase characters (A through Z)
    English lower-case characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphanumeric (special !,$,%,#) character
    I created a new GPO ("[ALL] Enforce Complex Passwords") who's scope was OU-specific ("Hobart") and Security Filtering set to an AD group called "gGpl_Complex_Password_Test_Users" with the new Complex password settings:
    Computer Configuration (Enabled)hide
    Windows Settingshide
    Security Settingshide
    Account Policies/Password Policyhide
    Policy Setting
    Enforce password history 6 passwords remembered
    Maximum password age 45 days
    Minimum password age 30 days
    Minimum password length 8 characters
    Password must meet complexity requirements Enabled

    Account Policies/Account Lockout Policy
    For some reason, the new GPO would not take effect. I thought that maybe the DDP was overwriting the new GPO since it was higher in the Domain tree, so I cut out the settings from the DDP and created a new GPO ("[ALL] Password Policy (To be phased out)") with the same settings, applying it to all OUs, thus imitating the settings as they were in the DDP.

    The "Hobart" OU contains many computers and users, but I only want the users in this OU andin this group "gGpl_Complex_Password_Test_Users" to experience the new GPO.

    On my test PC, here's the result of GPResult:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\juliantest>gpresult

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 22/10/2007 at 4:02:31 PM


    RSOP results for SCL\juliantest on JULIANTEST : Logging Mode
    -------------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: SCL
    Domain Type: Windows 2000
    Site Name: Clayton
    Roaming Profile:
    Local Profile: C:\Documents and Settings\juliantest
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=JULIANTEST,OU=Computers,OU=Lightly Managed,OU=TestSiteOU,DC=scl,DC=signet,DC=com,DC=a u
    Last time Group Policy was applied: 22/10/2007 at 3:44:21 PM
    Group Policy was applied from: cla-dc1.scl.signet.com.au
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    [ALL] Password Policy (To be phased out)
    Default Domain Policy
    Applications - WA Time Zone Fix (Computer)

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Redirected Folders (User)
    Filtering: Disabled (GPO)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    JULIANTEST$
    Domain Computers


    USER SETTINGS
    --------------
    CN=JulianTest,OU=Users,OU=Lightly Managed,OU=TestSiteOU,DC=scl,DC=signet,DC=com,DC=a u
    Last time Group Policy was applied: 22/10/2007 at 4:01:42 PM
    Group Policy was applied from: cla-dc1.scl.signet.com.au
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy
    Redirected Folders (User)

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    [ALL] Enforce Complex Passwords
    Filtering: Not Applied (Empty)

    Allow Access to MMC Author Mode (User)
    Filtering: Denied (Security)

    Applications - WA Time Zone Fix (Computer)
    Filtering: Disabled (GPO)

    [ALL] Password Policy (To be phased out)
    Filtering: Disabled (GPO)

    Enable Access to USB Storage Devices (Computer)
    Filtering: Disabled (GPO)

    Local Group Policy
    Filtering: Not Applied (Empty)

    Allow File and Printer Sharing for Windows XP Firewall Policy (Computer)
    Filtering: Disabled (GPO)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    REMOTE INTERACTIVE LOGON
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    LOCAL
    gSec_ISA_Proxy_Clayton_Allow
    gShr_DAN-SRVLN_D$
    gShr_CLA-SRV_Scanning_Finance_Read
    gSec_ISA_Proxy_All_Sites_Allow_Media
    gApp_Altiris_Altiris Guest
    Domain Admins
    gSec_ISA_Proxy_All_Sites_Allow
    gShr_DAN-SRVLN_Scanning_Change
    gGpl_Complex_Password_Test_Users
    gSec_ISA_Proxy_Croydon_Allow
    gSec_ISA_Proxy_Special_Access_Websites_Allow
    gShr_CLA-SRV_IT_Change
    lShr_DAN-SRVLN_D$
    lSec_ISA_Proxy_Clayton_Allow
    lSec_ISA_Proxy_Croydon_Allow
    lSec_ISA_Proxy_All_Sites_Allow

    C:\Documents and Settings\juliantest>
    Can someone pls tell me why the Computer settings are not applying? I even tried to Enforce the "[ALL] Enforce Complex Passwords" GPO without success.....
    Last edited by JDMils; 22nd October 2007, 07:09.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: GPO will not stick- tryng to change AD password policy.

    I ran GP Modelling and got this (cut short):
    Group Policy Modeling
    scl.signet.com.au/TestSiteOU/Lightly Managed/Users on scl.signet.com.au/TestSiteOU/Lightly Managed/Computers
    Data collected on: 22/10/2007 4:12:05 PM show all

    Summaryhide
    Computer Configuration Summaryhide
    Generalhide
    Computer container scl.signet.com.au/TestSiteOU/Lightly Managed/Computers
    Domain scl.signet.com.au
    Site Hobart
    Slowlink processing No

    Group Policy Objectshide
    Applied GPOshide
    Name Link Location Revision
    Applications - WA Time Zone Fix (Computer) scl.signet.com.au AD (3), Sysvol (3)
    Default Domain Policy scl.signet.com.au AD (332), Sysvol (332)
    [ALL] Password Policy (To be phased out) scl.signet.com.au/TestSiteOU AD (14), Sysvol (14)

    Denied GPOshide
    Name Link Location Reason Denied
    Allow Access to MMC Author Mode (User) scl.signet.com.au Disabled GPO
    Enable Access to USB Storage Devices (Computer) scl.signet.com.au Access Denied (Security Filtering)
    Allow File and Printer Sharing for Windows XP Firewall Policy (Computer) scl.signet.com.au Access Denied (Security Filtering)
    Redirected Folders (User) scl.signet.com.au Disabled GPO
    [Clayton] Install ISA Client scl.signet.com.au/TestSiteOU Disabled Link
    [Clayton] Setup IE proxy settings scl.signet.com.au/TestSiteOU Disabled Link
    Trusted websites for Customer Service scl.signet.com.au/TestSiteOU Disabled Link
    Copy of Logon Script v0.2 (User) scl.signet.com.au/TestSiteOU Disabled Link
    Copy of DFS Pilot Group (User) scl.signet.com.au/TestSiteOU Disabled Link
    Enable GoOffline on Slow Link for Offline Files (Machine) For Test OU Only scl.signet.com.au/TestSiteOU Disabled Link
    Domain Firewall Policy v0.1 (Computer) scl.signet.com.au/TestSiteOU Disabled Link
    Open up Security on Local Prog Dirs for Domain Users (Machine) scl.signet.com.au/TestSiteOU Disabled Link
    MS Office 2003 Settings (User) scl.signet.com.au/TestSiteOU Disabled Link
    Logon Script v0.3 (User) scl.signet.com.au/TestSiteOU Disabled Link
    Add gGpl_AddGrouptoLocalAdminsGroup to Local Admins Group (Machine) scl.signet.com.au/TestSiteOU Disabled Link
    [ALL] Enforce Complex Passwords scl.signet.com.au/TestSiteOU Access Denied (Security Filtering)
    Lightly Managed v0.2 (Computer) scl.signet.com.au/TestSiteOU/Lightly Managed/Computers Disabled Link
    Give Power Users full access to C Drive for LM Computers (Machine) scl.signet.com.au/TestSiteOU/Lightly Managed/Computers Disabled Link
    Add Lightly Managed Users to local Power Users Group (Machine) scl.signet.com.au/TestSiteOU/Lightly Managed/Computers Disabled Link

    Simulated security group membershiphide
    Everyone
    NT AUTHORITY\Authenticated Users
    WMI Filtersshow
    Name Value Reference GPO(s)
    None

    Component Statusshow
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

    Comment


    • #3
      Re: GPO will not stick- tryng to change AD password policy.

      Correct me if I'm wrong, but does this seem like a logical explanation:
      1. If the Security Filtering is on an AD user group, only User Configuration settings are applied
      2. If the Security Filtering is on an AD computer group, only Computer Configuration settings are applied
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: GPO will not stick- tryng to change AD password policy.

        OK, I found out the hard way- you can only have ONE password policy per domain.
        |
        +-- JDMils
        |
        +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
        |

        Comment


        • #5
          Re: GPO will not stick- tryng to change AD password policy.

          Originally posted by JDMils View Post
          OK, I found out the hard way- you can only have ONE password policy per domain.
          That is right!

          Simple explanation:
          You must set the password policy for the computer(s) keeping the user accounts you want this policy have effect on.
          You want this policy for 'domain users' so this policy must take effect on the Domain Controllers.

          If you set the policy by a GPO linked to client computers, the policy will just be for the useraccounts stored in these computers, the local accounts. While Domain accounts are kept by Domain Controllers. All domain controlers in the same domain are holding the same objectdatabase.
          That is why you have to set the password policy in the 'Default Domain Policy'.
          Then it will affect all, -the domain accounts and also all -the local accounts on every computer. This is because the policy is inherited to all Containers and OUs.
          ( If you don't want to this policy to have effect on workstation's local accounts, then create a 'Default Domain Controler Policy' and set the Password Policy -Or, block inheritance on workstation Ous- )

          \Rems

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment

          Working...
          X