RE: GPO replication problem


Hello Ilya,

1. From your description, you want to restrict users to use a password that
has strings from dictionaries. Unfortunately, you can only configure the
password length, history and complexity requirements in the default Group
Policy password policy. There is not a built-in feature included to prevent
users from using a password that has strings according to dictionaries.

If you want to use customized password policy, ou need to write a Password
Filter DLL to implement your requirement. Then add the customized Password
Filter in the following key on all the domain controllers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification
Packages

Note: Do not overwrite the existing values, and do not include the .dll
extension.

For your information, you may refer to the following documents:
A sample is available after you install the Platform SDK under
Samples\Security\PasswordFilters\Passfilt.
Sample Password Filter
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/sample_password_filter.asp

Password Filter Programming Considerations
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/password_filter_programming_considerations.asp

Installing and Registering a Password Filter DLL
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/installing_and_registering_a_password_filter_dll.asp

If you need further assistance, since it appears that this is a
development-related request, it would best be best addressed in the
developer newsgroups. The developer newsgroups are located at:
http://msdn.microsoft.com/newsgroups/default.asp


2. Yes, when you enable policy settings in the GPO--->Computer
configuration, it should be applied no matter which log onto the computer
as long as the computer account is contained in that OU. Please verify
whether the computer configuration group policy settings are properly
applied onto the desktop workstations and laptops with the steps below:


a) On the a desktop workstation (laptop), run "gpupdate /force" to reapply
the group policies. Then run "gpresult /v" to check whether shutdown by
regular users, disable standby/hibernation, allow only monitor sleep, and
disable all firewalls (for Laptops, enable public firewall) settings are
applied successfully in the computer configuration.

b) You also can use the GPMC to further troubleshoot the issue. On the
Windows Server 2003 server that has the GPMC console installed, login to
the domain with administrator account. You can use the GPMC (group policy
management console) to collect the group policy result data:
- On the server that has GPMC installed, login to the domain with
administrator account.
- In the GPMC, process the Group Policy Result wizard to collect the data
of RSOP.
i) Right click Group Policy Results---> Group Policy Results Wizard¡­
ii) Choose Another computer to point to a laptop that did not receive the
policy.

iii) Select a problematic user and click next.

In the Summary tab--->User Configuration Summary--->Group Policy
Objects--->Applied GPOs, verify the GPO that is linked to the proper OU is
properly applied.

In the Settings tab---> User Configuration, check whether the computer
policy settings (for desktop workstations shutdown by regular users,
disable standby/hibernation, allow only monitor sleep, and disable all
firewalls and for Laptops enable public firewall) are listed.

You also can export the Group Policy Result report and send to me
(tfwst@xxxxxxxxxxxxx) for our further investigations. Please generate a
GPMC result for a laptop and a desktop computer that have problems.

If you have any questions or concerns, please do not hesitate to let me
know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Intermittant GPO failure to apply
    ... If you have backup your group policy before, you can restore it from the ... 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Set GPO for specific user group
    ... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Assistance not working
    ... I have tried these settings you recommend with no results. ... I have yet to get the offer remote assistance to work when launched from the ... The Group Policy on the computer of the novice user must be configured ... Start the Microsoft Management Console Group Policy snap-in. ...
    (microsoft.public.windows.server.sbs)
  • RE: Group Policy Connundrum - Stick with it, its confusing!!!
    ... Group Policy Connundrum - Stick with it, ... Small Business Server Internet Connection Firewall ... Import the current Content Ratings Settings: ...
    (Security-Basics)
  • RE: Unable to join domain, access email, etc from client connecting to
    ... Thank you for posting in the SBS newsgroup. ... I understand that you cannot join in the SBS ... been truncated" error message when you edit or view Group Policy in Windows ...
    (microsoft.public.windows.server.sbs)