Password policy

Archived from groups: microsoft.public.win2000.security (More info?)

That is because you have to configure password/account policy for ALL domain users in
the domain container which by default would be Domain Security Policy. It will be
ignored at any other level except for local accounts on computers that the policy is
in effect on. Block inheritance will not work either as a workaround to setting
account policy at the domain level and if you implement block inheritance on the
domain controller container you may not be able to change domain password/account
policy until you disable it. --- Steve


"dsluther@nptc.com" <dsluther@nptc.com@discussions.microsoft.com> wrote in message
news:85F16143-F683-4707-8A36-C4EB762DBB3D@microsoft.com...
> I setup a password policy in the default domain controller policy under the domain
controllers OU and then set each individual account password to expire. Also
configured is password min character lentgh is 5 characters and password history = 3.
I also am allowing users to change there password immediately. I also have set
password expires in 1 day for test purposes. Last, I have disable CTRL ALT DEL when
logging on. When users boot up there pc's they do not have to hit the CTRL ALT DEL
keys to logon and they get the message that their passwords expired. The users
however are able to change their passwords to less than 5 charaters and they can
reset their password after changing it back to the original password. Last, the next
time users boot their pc's after a day or so they are not prompted with the password
expired again. Security permissions for these users is set to Apply and Read Group
Policy. Why is the default domain controller policy ignoring minimum characters
length, etc... Any help would be appreciated.