Yes, that is correct. The Default domain policy still
applies - even if I change the password length setting to
non-defined.
Here's is what I did now:
New OU - I blocked inheritance. The applied a new GPO with
password specific settings (Password length = 12, maximum age, minimum age,
etc.). The default domain policy had 8 characters for the password length but
now got changed to non-defined.
I moved a user and a machine into that new, clean OU and
logon. The user receives the 8 character password requirement from the default
domain GPO but all the other settings from the new GPO.
A GPResult shows only the new GPO and the local GPO
applied - not the default domain GPO though. The local GPO has never been
modified and is clean.
Christoph
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, May 25, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Weird AD GPO problem
Christoph-
Are you saying that the password policy is still applying
to domain users or to user accounts on the local SAMs of your workstations? If
the latter, when you bring the gpedit.msc on a client, what does the local GPO
show for its password policy and where is it getting its effective policy? You
might also check the application event logs on your clients to see if you're
getting any SCECLI errors, which would indicate a problem processing security
policy. Also, use GPOTool.exe to make sure the Default Domain GPO is
healthy.
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, Christoph
Sent: Tuesday, May 25, 2004 7:39 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Weird AD GPO problem
We're dealing with a
really weird GPO problem. The password policy got changed in the default domain
GPO. This was not supposed to happen and the changes have been reversed due to
problems with some clients and 3rd party
software.
However - even with
forcing replication and forcing gpupdate on the clients, numerous reboots - the
settings still apply to the clients.
Any idea what is
holding on to the wrong GPO settings and how that can be cleared
out?
Windows 2000 AD Domain
- mixed mode.
I also refeshed the policy on the
DCs:
secedit /refreshpolicy machine_policy
/enforce
secedit /refreshpolicy user_policy
/enforce
Christoph
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
