RE: Local Security Overriding GP?

From: Gautam_at_Directory Services (Gautam_at_Directory)
Date: 06/21/04

Next message: anonymous_at_discussions.microsoft.com: "kerberos login"
Previous message: Alberto Brivio: "1 logon per usename ?"
In reply to: Ben Blackmore: "Local Security Overriding GP?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 21 Jun 2004 04:54:02 -0700

Just a couple of quick questions here
1. You set your password policy on the Default Domain policy right? As AD is desinged the password policy should be set only at Default Domain Policy

2. Are the offending machines only the XP machines. On the XP box you could do a gpupdate /force from the command line and check for a 1704 event id in the applog.

3. If you were to slightly alter the Password Pol slightly to say require atleast 6 chars and then reboot the xp box , and on logon check the local policy on xp if the effective string has been infact modified.

-- 
Gautam Anand
MCSE
"Ben Blackmore" wrote:
> Hi,
> 
> I'm having a problem with security on some of our PCs. Most work ok, but a
> few seem to have their local default security settings overriding our group
> policy settings.
> In our GP under computer configuration we've set password history to 5,
> length to 6, and complexity to enable. However some users have been able to
> enter passwords of less than 6 charactors, some even blank.
> If you open the local security settings on the offending machines, there is
> 'local setting' and 'effective setting' effective settings are set to the GP
> settings, so it appears the policy is being enforced. But local settings are
> set to password history 0, password length 0 and complexity disabled (all
> the defaults). I thought effective setting was what is actually being
> enforced on the computer, why can users still have blank passwords, when
> effective settings say it has to be 6 or more?
> 
> We're using Win2k Pro clients, logging onto a Win2k server domain & AD, all
> with SP4
> 
> Ben
> 
> 
>

Next message: anonymous_at_discussions.microsoft.com: "kerberos login"
Previous message: Alberto Brivio: "1 logon per usename ?"
In reply to: Ben Blackmore: "Local Security Overriding GP?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: scripted logon
... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
(microsoft.public.windows.terminal_services)
Re: GPO Update Problem (SYSVOL access via UNC)
... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
(microsoft.public.win2000.group_policy)
Re: GPO Update Problem (SYSVOL access via UNC)
... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
(microsoft.public.win2000.group_policy)
Re: GPO Update Problem (SYSVOL access via UNC)
... >> Server Security and Auditing Policy ... >> The settings in this GPO can only apply to the following groups, users, ... >> Windows Firewall: Allow file and printer sharing exception Enabled ...
(microsoft.public.win2000.group_policy)
Re: GP settings questions?
... I made a domain policy and all settings took ... Administering Group Policy by Using the Group Policy ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
(microsoft.public.windows.server.sbs)