Announcement

Collapse
No announcement yet.

GP Account Policies Not Enforced

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GP Account Policies Not Enforced

    I have 100+ computers running XP divided into multiple OUs on a Win2003 DC. My password policy is the same for everyone and is defined in the Default Domain Policy. I have not defined it in any other OUs. Gpresult shows that the policy for the OU and Default Domain are applying, but users can still have simple, short, and even blank passwords! Here is a sample of a typical gpresult query.

    COMPUTER SETTINGS
    ------------------
    CN=computer,OU=ouname,DC=domain,DC=com
    Last time Group Policy was applied: 12/18/2007 at 2:08:20 PM
    Group Policy was applied from: server.domain.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    wsusgpo
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    computer name
    Domain Computers


    USER SETTINGS
    --------------
    CN=user,OU=ouname,DC=domain,DC=com
    Last time Group Policy was applied: 12/18/2007 at 2:09:01 PM
    Group Policy was applied from: server.domain.com
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    wsusgpo
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    LOCAL


    I have been able to change user GP settings and they apply. GPMC shows all policies as NOT enforced, links enabled, all paths correct, all GPOs enabled and linked properly. Group policy results report shows that Default Domain Policy is the winning GPO for password policy, but passwords can still be changed to anything.

    Policy - Setting
    Enforce password history - 5 passwords remembered
    Maximum password age - 30 days
    Minimum password age - 1 days
    Minimum password length - 8 characters
    Password must meet complexity requirements - Enabled
    Store passwords using reversible encryption - Disabled

    Any help would be appreciated,
    Thanks!

  • #2
    Re: GP Account Policies Not Enforced

    Users can keep using their old password until they are asked to change it.

    Or, you can forse users to change password at next logon;
    Select all the users in the OU at once,
    Open the properties,
    Go to tab Account,
    check 'Users must change password at next logon'

    btw.
    For domain user accounts there can be only one password policy per domain. The policy must affect all domain controlers (domain user accounts are stored in AD, not on local computers), by setting this policy in the Default Domain policy you are sure all the domain controlers have the same policy. This is the recommended practice. But by setting this policy in the Default Domain Policy, also the local accounts on each computer are affected by this password policy (not every notebook user is happy with that).

    \Rems


    EDIT
    but passwords can still be changed to anything.
    oops,

    - Have you tried GPUPDATE /FORCE on a client?
    - run Gpresult against a Domain Controller
    Last edited by Rems; 19th December 2007, 23:02.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: GP Account Policies Not Enforced

      Thanks for the reply Rems, but as I said before I have NOT defined any other password policies except for Default Domain Policy. My problem is enforcing the policy - not forcing users to change their password.

      For example, I can force a user to change his password and when it prompts him he can type in his old password and leave the new password field blank and it will be accepted.

      Thanks again!

      Comment


      • #4
        Re: GP Account Policies Not Enforced

        Can you run Gpresult against a Domain Controller.

        \Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: GP Account Policies Not Enforced

          Here it is. A couple of strange things to take note of: Different domain types even though all DCs run Win2003. No applied group policy under users. I have replaced user and computer names with false data for security.


          RSOP data for WINNT\domainadmin on domain controller : Logging Mode
          ----------------------------------------------------------

          OS Type: Microsoft(R) Windows(R) Server 2003, Standard Editi
          on
          OS Configuration: Primary Domain Controller
          OS Version: 5.2.3790
          Terminal Server Mode: Remote Administration
          Site Name: Default-First-Site-Name
          Roaming Profile:
          Local Profile: C:\Documents and Settings\username
          Connected over a slow link?: No


          COMPUTER SETTINGS
          ------------------
          CN=computer,OU=Domain Controllers,DC=domain,DC=com
          Last time Group Policy was applied: 12/19/2007 at 4:02:36 PM
          Group Policy was applied from: *****.*****.com
          Group Policy slow link threshold: 500 kbps
          Domain Name: ****
          Domain Type: WindowsNT 4

          Applied Group Policy Objects
          -----------------------------
          Default Domain Controllers Policy

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Default Domain Policy
          Filtering: Denied (Security)

          Local Group Policy
          Filtering: Not Applied (Empty)

          The computer is a part of the following security groups
          -------------------------------------------------------
          BUILTIN\Administrators
          Everyone
          BUILTIN\Users
          BUILTIN\Pre-Windows 2000 Compatible Access
          Windows Authorization Access Group
          NT AUTHORITY\NETWORK
          NT AUTHORITY\Authenticated Users
          This Organization
          computername$
          Domain Controllers
          NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS


          USER SETTINGS
          --------------
          CN=UserName,OU=OU,DC=domain,DC=com
          Last time Group Policy was applied: 12/19/2007 at 3:30:29 PM
          Group Policy was applied from: *****.****.com
          Group Policy slow link threshold: 500 kbps
          Domain Name: ****
          Domain Type: Windows 2000

          Applied Group Policy Objects
          -----------------------------
          N/A

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Default Domain Policy
          Filtering: Denied (Security)

          admin_gpo
          Filtering: Not Applied (Empty)

          Local Group Policy
          Filtering: Not Applied (Empty)

          The user is a part of the following security groups
          ---------------------------------------------------
          Domain Admins
          Everyone
          BUILTIN\Administrators
          BUILTIN\Users
          BUILTIN\Pre-Windows 2000 Compatible Access
          REMOTE INTERACTIVE LOGON
          NT AUTHORITY\INTERACTIVE
          NT AUTHORITY\Authenticated Users
          This Organization
          LOCAL
          GEMS Admin
          Enterprise Admins
          WSUS Administrators

          Thanks!

          Comment


          • #6
            Re: GP Account Policies Not Enforced

            COMPUTER SETTINGS
            ------------------
            <DN>
            <Last time>
            <from>
            <threshold>
            <Domain Name>

            Domain Type: WindowsNT 4

            Applied Group Policy Objects
            -----------------------------
            Default Domain Controllers Policy

            The following GPOs were not applied because they were filtered out
            -------------------------------------------------------------------
            Default Domain Policy
            Filtering: Denied (Security)
            Well what you think of that!



            Open the Group Policy Management Console
            - Go to the Domain and select the Default Domain Policy
            - On the right pane, go to the Scope tab
            - In the 'Securyty Filter' sector, There must be 'Authenticated Users' (by default this is the only object in the list)

            The DC is part of 'NT AUTHORITY\Authenticated Users' security group as you can see in the gpresult log

            - Next goto the Delegation tab
            - Verify that the Athenticated Users Allowed permissions is "Read (from security filter)", inhertited: No
            - Other entries in this section on the Delegation tab;
            Domain Admins (domain\...) - Edit settings, Delete, Modify security , inhertited: No
            Enterprise Admins (domain\...) - Edit settings, Delete, Modify security , inhertited: No
            ENTERPRISE DOMAIN CONTROLERS - Read , inhertited: No
            SYSTEM - Edit settings, Delete, Modify security , inhertited: No


            \Rems



            EDIT -

            I see that you also have the 'Default Domain Controllers Policy' GPO. For the time being you can configure Password policies in this GPO.
            (There are people who even recoment to use the Default Domain Controlers Prolicy' to configure the domain password policy)

            About the security filter for the Default Domain Policy;
            Someone posted to a forum on an other site that just deleting all groups and users from the security sections and re-entering the objects back again helped.
            Last edited by Rems; 20th December 2007, 13:33.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: GP Account Policies Not Enforced

              In the security filter section of the GPO for Default Domain Policy I only have Domain Computers and Domain Users. I did not have Domain Admins so I added it. To be honest I don't know what I should have here.

              -- Posted this before reading your edited post. I'll let you know how it turns out!
              Last edited by Jason; 20th December 2007, 17:23.

              Comment


              • #8
                Re: GP Account Policies Not Enforced

                On the Scope tab; There only have to be one entry in the security filter section, that is the "Authenticated Users" security group.
                Next... On the 'Delegation tab' you can see the permision details and in this section there are more entries.
                After you made changes to the GPO, run GPUPDATE on the Domain controllers.

                What Windows Server edition do you have?


                \Rems

                Originally posted by Jason View Post
                Posted this before reading your edited post. I'll let you know how it turns out!
                OK
                Last edited by Rems; 20th December 2007, 17:34.

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: GP Account Policies Not Enforced

                  Running Server 2003 R2

                  All the changes have been made. I'm fairly certain that was the problem but I can't restart the server until tonight. Thanks!

                  Comment


                  • #10
                    Re: GP Account Policies Not Enforced

                    It worked! Thanks for all your help!

                    Comment

                    Working...
                    X