Somebody else just pointed that out to me,
too.
[banging head against wall]Thanks to both of you. I
remember this now - not specific to this case but there were a few things that
can only be done on a domain level. duh - stupid me[/banging head against
wall]
Thanks.
Christoph
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, May 25, 2004 11:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Weird AD GPO problem
That's not weird - that's by design.
Password related policies are domain specific. Its one of
the few really good reasons to have a separate domain.
--------------------------------------------------------------
Roger D. Seielstad -
MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
From: Puetz, Christoph [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 25, 2004 1:32 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Weird AD GPO problemYes, that is correct. The Default domain policy still applies - even if I change the password length setting to non-defined.Here's is what I did now:New OU - I blocked inheritance. The applied a new GPO with password specific settings (Password length = 12, maximum age, minimum age, etc.). The default domain policy had 8 characters for the password length but now got changed to non-defined.I moved a user and a machine into that new, clean OU and logon. The user receives the 8 character password requirement from the default domain GPO but all the other settings from the new GPO.A GPResult shows only the new GPO and the local GPO applied - not the default domain GPO though. The local GPO has never been modified and is clean.Christoph
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, May 25, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Weird AD GPO problemChristoph-Are you saying that the password policy is still applying to domain users or to user accounts on the local SAMs of your workstations? If the latter, when you bring the gpedit.msc on a client, what does the local GPO show for its password policy and where is it getting its effective policy? You might also check the application event logs on your clients to see if you're getting any SCECLI errors, which would indicate a problem processing security policy. Also, use GPOTool.exe to make sure the Default Domain GPO is healthy.Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Puetz, Christoph
Sent: Tuesday, May 25, 2004 7:39 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Weird AD GPO problemWe're dealing with a really weird GPO problem. The password policy got changed in the default domain GPO. This was not supposed to happen and the changes have been reversed due to problems with some clients and 3rd party software.However - even with forcing replication and forcing gpupdate on the clients, numerous reboots - the settings still apply to the clients.Any idea what is holding on to the wrong GPO settings and how that can be cleared out?Windows 2000 AD Domain - mixed mode.I also refeshed the policy on the DCs:secedit /refreshpolicy machine_policy /enforcesecedit /refreshpolicy user_policy /enforceChristoph
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
