Ok. I have implemented a Password Policy. I know from previous posts that it cannot be applied from within an OU so I have configured it from the Default Domain Policy. I run RSOP.msc from a client machine and the policy settings are displayed with the Source GPO "Default Domain Policy." So it appears that it is working, but it's not. For example, I have a complexity requirement, but it accepts the password "a." It also allows me to change my password within Windows Security while the setting is "Minimum password age" of 89 days. Clearly the policy is not actually being applied!
What to do?
RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode
----------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: XXXXXX
Domain Type: Windows 2000
Site Name: XXXXXX
Roaming Profile:
Local Profile: C:\Documents and Settings\XXXXX
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com
Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
Group Policy was applied from: tfs.corp.emergingmed.com
Group Policy slow link threshold: 0 kbps
Applied Group Policy Objects
-----------------------------
Published Software
Copy of Base
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
SQLServerMSSQLServerADHelperUser$XXXXX
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
XXXXXXX$
Domain Computers
People
USER SETTINGS
--------------
CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com
Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
Group Policy was applied from: tfs.corp.XXXXX.com
Group Policy slow link threshold: 0 kbps
Applied Group Policy Objects
-----------------------------
Published Software
Startup Scripts
Copy of Base
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
Remote Desktop Users
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Best Answer
The password policy should be applied to the OU of the servers where the account database is. If you are trying to control the password on the active directory this means your policy should be applied to Domain Controllers OU. If you have inheritance blocked on your Domain Controllers OU, then modifying the Default Domain policy which is linked at the root by default will not do what you want.
By setting the policy at the default domain level you are probably controlling the password policy of your workstation. By this I mean the local accounts on your workstations would have now have the password requirements. Try creating a local account and setting a password.
This is partly relates to the same reason why you cannot have more then one password policy in a pre Windows 2008 domain. The policy must be applied to all the Domain Controllers, so there is no way to distinguish between different users/computers.
Even with the fine-grained policies in 2008 you cannot simply use a group policy, you have to setup special attributes in LDAP to have different objects target different password policies.