GPO security settings not applied

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I have the following OU & GPO structure:

Domain - Default Domain GPO
|_ Company - Company GPO
|_ Head Office
|_ IT - IT GPO - Enforced - Block Inheritance
|_ Finance
|_ Marketing
|_ etc...
|_ Branch 1
|_ Branch 2
|_ etc...

Default domain GPO has been left as installed.

I have set some security options in the Company GPO. (Password length,
expiry, time before change allowed, etc.)

I have blocked inheritance on the IT OU and created a GPO for the IT OU that
has some security options (password never expires, no minimum time on
password, etc)

My user and computer are both in the IT OU, however when I try to change my
password it appears as if I have the password related settings from the
Company GPO. User settings in the IT GPO (ex. IE settings) etc are applied
correctly.

Any ideas?

Thank you very much

Henri Visser, MCSE 2000

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Henri Visser" wrote:
> Hi,
>
> I have the following OU & GPO structure:
>
> Domain - Default Domain GPO
> |_ Company - Company GPO
> |_ Head Office
> |_ IT - IT GPO - Enforced - Block Inheritance
> |_ Finance
> |_ Marketing
> |_ etc...
> |_ Branch 1
> |_ Branch 2
> |_ etc...
>
> Default domain GPO has been left as installed.
>
> I have set some security options in the Company GPO. (Password
> length,
> expiry, time before change allowed, etc.)
>
> I have blocked inheritance on the IT OU and created a GPO for
> the IT OU that
> has some security options (password never expires, no minimum
> time on
> password, etc)
>
> My user and computer are both in the IT OU, however when I try
> to change my
> password it appears as if I have the password related settings
> from the
> Company GPO. User settings in the IT GPO (ex. IE settings) etc
> are applied
> correctly.
>
> Any ideas?
>
> Thank you very much
>
> Henri Visser, MCSE 2000

Hi,

Security Settings like Password length etc need to be set at the
Domain Level to be applied. That is what the MS documentation says. It
is not something you can set at the lower OU’s.

That is by design. I haven’t found a way around it yet.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-GPO-security-settings-applied-ftopict265797.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=832195

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Lara,

I promise that I am not following you!

The Password Policy is indeed set at the Domain - level. I like to use the
Domain Security Policy to set this. You can do this in the Default Domain
Policy if you like.....

However, you can indeed set a password policy at the OU - level! Please
note that this would be set on an OU in which computer account objects
directly reside and would affect only local user accounts ( note: not domain
user account objects! ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:42139e9f$1_5@alt.athenanews.com...
> "Henri Visser" wrote:
> > Hi,
> >
> > I have the following OU & GPO structure:
> >
> > Domain - Default Domain GPO
> > |_ Company - Company GPO
> > |_ Head Office
> > |_ IT - IT GPO - Enforced - Block Inheritance
> > |_ Finance
> > |_ Marketing
> > |_ etc...
> > |_ Branch 1
> > |_ Branch 2
> > |_ etc...
> >
> > Default domain GPO has been left as installed.
> >
> > I have set some security options in the Company GPO. (Password
> > length,
> > expiry, time before change allowed, etc.)
> >
> > I have blocked inheritance on the IT OU and created a GPO for
> > the IT OU that
> > has some security options (password never expires, no minimum
> > time on
> > password, etc)
> >
> > My user and computer are both in the IT OU, however when I try
> > to change my
> > password it appears as if I have the password related settings
> > from the
> > Company GPO. User settings in the IT GPO (ex. IE settings) etc
> > are applied
> > correctly.
> >
> > Any ideas?
> >
> > Thank you very much
> >
> > Henri Visser, MCSE 2000
>
> Hi,
>
> Security Settings like Password length etc need to be set at the
> Domain Level to be applied. That is what the MS documentation says. It
> is not something you can set at the lower OU's.
>
> That is by design. I haven't found a way around it yet.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-GPO-security-settings-applied-ftopict265797.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=832195

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

So, what can I do to stop certain users (for example: IT, Directors) from
having the more restrictive security settings that the general domain users
have. Would I have to create an OU above the GPO with the general password
policy?

Thanks

Henri Visser



"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:uWUZamJFFHA.1836@tk2msftngp13.phx.gbl...
> Lara,
>
> I promise that I am not following you!
>
> The Password Policy is indeed set at the Domain - level. I like to use
> the Domain Security Policy to set this. You can do this in the Default
> Domain Policy if you like.....
>
> However, you can indeed set a password policy at the OU - level! Please
> note that this would be set on an OU in which computer account objects
> directly reside and would affect only local user accounts ( note: not
> domain user account objects! ).
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:42139e9f$1_5@alt.athenanews.com...
>> "Henri Visser" wrote:
>> > Hi,
>> >
>> > I have the following OU & GPO structure:
>> >
>> > Domain - Default Domain GPO
>> > |_ Company - Company GPO
>> > |_ Head Office
>> > |_ IT - IT GPO - Enforced - Block Inheritance
>> > |_ Finance
>> > |_ Marketing
>> > |_ etc...
>> > |_ Branch 1
>> > |_ Branch 2
>> > |_ etc...
>> >
>> > Default domain GPO has been left as installed.
>> >
>> > I have set some security options in the Company GPO. (Password
>> > length,
>> > expiry, time before change allowed, etc.)
>> >
>> > I have blocked inheritance on the IT OU and created a GPO for
>> > the IT OU that
>> > has some security options (password never expires, no minimum
>> > time on
>> > password, etc)
>> >
>> > My user and computer are both in the IT OU, however when I try
>> > to change my
>> > password it appears as if I have the password related settings
>> > from the
>> > Company GPO. User settings in the IT GPO (ex. IE settings) etc
>> > are applied
>> > correctly.
>> >
>> > Any ideas?
>> >
>> > Thank you very much
>> >
>> > Henri Visser, MCSE 2000
>>
>> Hi,
>>
>> Security Settings like Password length etc need to be set at the
>> Domain Level to be applied. That is what the MS documentation says. It
>> is not something you can set at the lower OU's.
>>
>> That is by design. I haven't found a way around it yet.
>>
>> Cheers,
>>
>> Lara
>>
>> --
>> Posted using the http://www.windowsforumz.com interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.windowsforumz.com/Group-Policy-GPO-security-settings-applied-ftopict265797.html
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.windowsforumz.com/eform.php?p=832195
>
>