Re: Problems testiing GPO for password complexity on OU before changing default domain policy

From: Tim Hines [MSFT] (timhines_at_online.microsoft.com)
Date: 02/20/04 

Date: Fri, 20 Feb 2004 00:00:50 -0500

Account policies are only read at the domain level and you can only have one
password policy per domain. Any policies applied at the OU level will only
apply to the local machine account policy.

See the following for more info

255550 Configuring Account Policies in Active Directory
http://support.microsoft.com/?id=255550

221930 Domain Security Policy in Windows 2000
http://support.microsoft.com/?id=221930 

-- 
-- 
Tim Hines, MCSE, MCSA
 Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
"Kirk H." <anonymous@discussions.microsoft.com> wrote in message
news:B156325A-D970-4507-AB1C-0A6196DDA7A1@microsoft.com...
> I have a Win2k AD domain in native mode and want to test password
complexity on an OU before applying to the entire domain.  The complex
password policy is applied  when I logon to the local machine but not when I
logon with a domain user which is a member of the OU and security group
within that OU.  The machine account is also a member of the OU and the
security group I created.  How can I apply the policy to the domain account?
BTW machine is Win2k Pro.
>
> Thanks in advance,
>
> Kirk H.
>

Relevant Pages

  • Re: Password Policy for remote users
    ... There is only one password policy per domain or per machine. ... accounts, and this or the highest priority GPO setting account policies ... Change remote users passowrd to more complex. ...
    (microsoft.public.security)
  • Re: 2003 Domain Password Policy with NT 4.0 Workstations
    ... The only way to exclude users from adhering to the domain password policy is ... > running Windows NT 4.0, so would the following scenario work? ... Modify the Default Domain Policy and remove the Account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Admin account and lockout Policy
    ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
    (microsoft.public.windows.group_policy)
  • Re: Domain Admin account and lockout Policy
    ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
    (microsoft.public.windows.group_policy)
  • RE: Account Lockout Policy
    ... he didn't say that the policy would be *linked* at ... the Domain Controllers OU, just that the domain password policy would apply ... the Domain Controllers OU will still use the password policy that is defined ... they still utilize the domain-level account settings, because, again, the ...
    (Focus-Microsoft)