RE: [ActiveDir] GPO for entire domain

[Dave Kinnamon]

Just did this two weeks ago ...     Justin is right about the password expiration.  You have to force users to 'change at next logon' or let their password expire to have them use the new requirements.  This top policy in the GP window for the OU has the highest priority and is processed last.  GPs lower on the list can be overwritten unless 'No Override' or 'Block Policy' is used.  This paper will answer your general GP questions and questions on policy refresh intervals http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp   GP isn't really pushed to objects en mass, but is rather applied at startup or logon.  There are configurable refresh intervals, but you can also force policy refreshes at the command line - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q227302   As for the password age, LDIFDE can export this but it will be messy unless you know the exact object you need.  I use a .dll I got from a MS support tech that adds an extra tab to a users profile.  The tab has a bunch of password, SID, GUID-specific stuff that is quite useful.   Be aware of the specifics regarding 'password complexity' if this is in your future  - I got caught on this  http://support.microsoft.com/default.aspx?scid=kb;en-us;279890     Dave       -----Original Message----- From: Barber, Thomas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 7:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO for entire domain   First, a bit of background.   After much explanation and politics, we have finally decided to institute some password policies for the campus.  Our machines currently reside in a single, native mode Active Directory domain.   I have created a domain-level password policy with the following items set:   Enforce Password history: 3 passwords remembered Max Password age: 182 days Min Password age: 1 days Min password length: 4 characters   (I know these are poor security settings, but it's a start.)     The other two settings are undefined.   After setting this up, I now have four domain policies.   I am not seeing the "general chaos" I thought I would when the policy went into effect.    Questions:   In what order are the four domain policies applied?  The password policy is the second policy in my list, with no other policies defining those password settings.   Is there something else I need to do to "kick start" the policy?   There are plenty of users with passwords they have had for years.  Does a password policy start the clock "ticking" when the policy is first implemented?  Will these users be allowed to keep their current policy for another 182 days before requiring them to change it?     Is there any way to check to see if the policy is working?  Also, is there any way to the password age of an account?       -Tom Barber Systems Manager