Re: Domain - enforce password policy

From: "Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 May 2008 07:36:19 +0200

Howdie!

ITSWFL schrieb:

In Group Policy Management
Windows Server 2003 SP2
If i create a new GPO to do the following under computer configuration;
Enforce password history 3
Maximum password age 45
Minimum password age 30
Minimum password length 6
Password must meet complexity Enable

I place 1 domain user in that OU, why would this not force this user to change their password?

A Password Policy concerning the domain accounts of users needs to be linked on domain level. Only on domain level with the highest precedence (at the top of the list of all policies that have Password settings set) all users will get the Password Policy.

The way you linked the policy with Password settings -- to an OU - the local machine accounts will get the password policy (if computer accounts are in the OU, since those are Computer Configuration settings).

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
.

References:
- Domain - enforce password policy
  - From: ITSWFL

Prev by Date: Re: RSOP question - what policies are applied to a given machine at the moment?
Next by Date: Re: register file extension
Previous by thread: Domain - enforce password policy
Index(es):
- Date
- Thread

Relevant Pages

Re: Setting up Password policy
... You set your password policy for password age to be 180 days. ... If their password has been in effect for 90 days, the current password wil continue to be valid until 180 days then they will be required to change their password, incorporating all the settings of your new password policy. ... I want to set all the current ones to expire in 14 ... >> A password policy has to be linked to the domain level in domains ...
(microsoft.public.windows.group_policy)
Re: Sub OU Computer Config Settings Not Working
... You can only configure a password policy at domain level, except you change to server 2008 in FFL 2008. ... Otherwise any password policy on OU level will only have effect if the machine is not connected to the domain. ... be sub-OU's that have unique Computer Configuration settings for the ... password policy computer policy GP at the sub OU is that the sub OU ...
(microsoft.public.windows.group_policy)
Re: Override Default Domain Policy - how??
... If you are talking about a PRE-2008 domain, then you have one password policy on DOMAIN level. ... If you just will remove the complexity part you have to set it under computer configuration, that's the place where the password policy has to be set, nowhere else. ...
(microsoft.public.windows.server.general)
Re: To those who designed Group Policy in Active Directory
... > policy(applied at domain level) and the strict password policy (applied to ... > the OU) were applying to that computer account. ...
(microsoft.public.windows.server.active_directory)
Re: Where to set the domain password policy up?
... Account Policies applied to Domain Controllers apply to all accounts stored on domain controllers - that is, to all domain accounts in that domain! ... I'd say apply at the domain level still - to have consistent policy for domain accounts in the domain as well as for local accounts on all computers in that domain. ... > Is it better to set a domain password policy up at the domain node level ...
(microsoft.public.windows.server.active_directory)