GPOs for Local Password Policies

Archived from groups: microsoft.public.win2000.group_policy (More info?)

A GPO query for Windows 2000 AD, XP & 2000 workstations.

I have a default domain GPO defining "Passwords must meet complexity
requirements", and several other settings with No Overrride set. This
is to update local policy settings on domain workstations. I have a
small collection of PCs that should not have password complexity set -
I thought that the way to acheive this would be to apply a Deny to the
Default Domain GPO with a group I added the computers to, and create a
second copy GPO which contained all settings except password
complexity requirements and only permission this to the computer group
..... so far so good ...

The problem I have in the lab is that the updates dont appear to be
working. If I reset the policy on the DC, and then run gpupdate /force
and then gpresult /z I dont see the updates on the workstations.
I have disabled slow link detection and tried removing and adding a
workstation back to the domain - even renaming / adding new GPOs but
the machine seems to stick with the policy its domwnloaded even an
hour ago - if I rename the GPO, gpresult still shows the old name an
hour later. I've enven rebooted the DC & the workstation, but I seem
to get unpredicable results.

Does anyone have any suggestions or a link to a good doc on GPOs.

Thanks in Advance
2 answers Last reply
More about gpos local password policies
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Account policies are one to a domain. The reason being if there are
    resources on a domain that are sensitive enough to require complex
    passwords, setting anything short of all accounts to meet this requirement
    amounts to creating a security hole.Why waste time trying to brute force a
    complex password when you can brute force a simple password on the same
    domain?

    Differing account policies is a major reason for creating another domain.

    hth
    DDS W 2k MVP MCSE

    "Stephen Chapman" <sbchapman@yahoo.com> wrote in message
    news:8c0a862a.0411031020.162f67f3@posting.google.com...
    > A GPO query for Windows 2000 AD, XP & 2000 workstations.
    >
    > I have a default domain GPO defining "Passwords must meet complexity
    > requirements", and several other settings with No Overrride set. This
    > is to update local policy settings on domain workstations. I have a
    > small collection of PCs that should not have password complexity set -
    > I thought that the way to acheive this would be to apply a Deny to the
    > Default Domain GPO with a group I added the computers to, and create a
    > second copy GPO which contained all settings except password
    > complexity requirements and only permission this to the computer group
    > .... so far so good ...
    >
    > The problem I have in the lab is that the updates dont appear to be
    > working. If I reset the policy on the DC, and then run gpupdate /force
    > and then gpresult /z I dont see the updates on the workstations.
    > I have disabled slow link detection and tried removing and adding a
    > workstation back to the domain - even renaming / adding new GPOs but
    > the machine seems to stick with the policy its domwnloaded even an
    > hour ago - if I rename the GPO, gpresult still shows the old name an
    > hour later. I've enven rebooted the DC & the workstation, but I seem
    > to get unpredicable results.
    >
    > Does anyone have any suggestions or a link to a good doc on GPOs.
    >
    > Thanks in Advance
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks, I'd forgotten (long time ago since the account policy was set)
    that account polices can only be applied to the domain, and not at GPO
    & Sites.

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebg_dsp_hlsf.asp

    Look like another domain is the only solution
Ask a new question

Read More

Policy Domain Workstations Windows