Sign in with
Sign up | Sign in
Your question

GPOs for Local Password Policies

Last response: in Windows 2000/NT
Share
Anonymous
November 3, 2004 1:20:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

A GPO query for Windows 2000 AD, XP & 2000 workstations.

I have a default domain GPO defining "Passwords must meet complexity
requirements", and several other settings with No Overrride set. This
is to update local policy settings on domain workstations. I have a
small collection of PCs that should not have password complexity set -
I thought that the way to acheive this would be to apply a Deny to the
Default Domain GPO with a group I added the computers to, and create a
second copy GPO which contained all settings except password
complexity requirements and only permission this to the computer group
..... so far so good ...

The problem I have in the lab is that the updates dont appear to be
working. If I reset the policy on the DC, and then run gpupdate /force
and then gpresult /z I dont see the updates on the workstations.
I have disabled slow link detection and tried removing and adding a
workstation back to the domain - even renaming / adding new GPOs but
the machine seems to stick with the policy its domwnloaded even an
hour ago - if I rename the GPO, gpresult still shows the old name an
hour later. I've enven rebooted the DC & the workstation, but I seem
to get unpredicable results.

Does anyone have any suggestions or a link to a good doc on GPOs.

Thanks in Advance
Anonymous
November 3, 2004 3:09:27 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Account policies are one to a domain. The reason being if there are
resources on a domain that are sensitive enough to require complex
passwords, setting anything short of all accounts to meet this requirement
amounts to creating a security hole.Why waste time trying to brute force a
complex password when you can brute force a simple password on the same
domain?

Differing account policies is a major reason for creating another domain.

hth
DDS W 2k MVP MCSE

"Stephen Chapman" <sbchapman@yahoo.com> wrote in message
news:8c0a862a.0411031020.162f67f3@posting.google.com...
> A GPO query for Windows 2000 AD, XP & 2000 workstations.
>
> I have a default domain GPO defining "Passwords must meet complexity
> requirements", and several other settings with No Overrride set. This
> is to update local policy settings on domain workstations. I have a
> small collection of PCs that should not have password complexity set -
> I thought that the way to acheive this would be to apply a Deny to the
> Default Domain GPO with a group I added the computers to, and create a
> second copy GPO which contained all settings except password
> complexity requirements and only permission this to the computer group
> .... so far so good ...
>
> The problem I have in the lab is that the updates dont appear to be
> working. If I reset the policy on the DC, and then run gpupdate /force
> and then gpresult /z I dont see the updates on the workstations.
> I have disabled slow link detection and tried removing and adding a
> workstation back to the domain - even renaming / adding new GPOs but
> the machine seems to stick with the policy its domwnloaded even an
> hour ago - if I rename the GPO, gpresult still shows the old name an
> hour later. I've enven rebooted the DC & the workstation, but I seem
> to get unpredicable results.
>
> Does anyone have any suggestions or a link to a good doc on GPOs.
>
> Thanks in Advance
Anonymous
November 4, 2004 3:05:11 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks, I'd forgotten (long time ago since the account policy was set)
that account polices can only be applied to the domain, and not at GPO
& Sites.

http://www.microsoft.com/resources/documentation/Window...

Look like another domain is the only solution
!