Question : Domain Password policy did not apply on workstation

Hi All,

I have made some changes to the Default Domain Policy. I have change the password policy for the min password from 5 to 24 and password complexity from disable to enable. When I try to change the password at the workstation, it promt me the old min password length of 5 and I can change the password without the complexity. When i check the local policy, it shows that the effective settings was the min password 24 and password complexity enable. I also did the gpresult and it shows me that the Default Domain Policay was applied.

Pri DC - Win2k Server
Sec Dc - Win2k Server
Workstations - Win2k Pro
You expert comments is greatly needed.

Answer : Domain Password policy did not apply on workstation

Sorry, but I see the need to summarize the facts that I already stated, and some more for clarity:
1. There can only be one password policy per domain.
2. The (domain) password policy has to be linked to the domain root.
3. The password policy has to be applied to the domain controllers.
4. The password policy does not require a reboot of the domain controllers.
5. The default interval between re-applying the GPOs to a DC is five minutes, so even without gpupdate, a changed password policy will be in effect at the latest after this time.
6. The client on which the password is changed is of absolutely no importance. Reboot, gpresult or gpupdate of a client has no effect whatsoever on whether the domain password is accepted or not.
7. Password policies applied to domain members (that you see when running gpresult on a client) only apply to local accounts on those domain members, not to domain accounts.

So make sure that the points 1-3 are covered.
If you've changed the Default Domain Policy, and the password policy is still not applied, it can only be that
* the default domain policy has been deactivated or is not linked to the domain root
* inheritance of the default domain policy is blocked for the domain controllers OU, or the application of the default domain policy is prevented by security settings in the GPO
* another GPO with a higher priority is linked to the domain root and has password policies defined
* the application of GPOs to the domain controllers is prevented by general problems

So to troubleshoot, again my suggestion from above: create a new GPO named Password Policy or whatever, linked directly to the domain root (NOT the DC OU!), make sure it has the highest priority of the GPOs linked to the domain root, and configure the password policy there.
If you're impatient, run gpupdate on the domain controllers (again: don't bother with the client), then try the password change again.

Random Solutions

URGENT: Need help parsing string for several numeric values SQL database columns

New DC Server 2008 Lots of Traffic

displaying fields total amount in textbox on form

need to convert the following from asp to asp.net

grabbing text from a string after a logic

Problem with "shutdown" DOS command

Data Loss & Recovery - FAT 16 - NTFS 160GB USB drive. Possible bad MBR or Partition Table

Using COMAdmin to create a COM+ application running under an identity of "Network Service"

Using IF in SQL SELECT

How to deal with binary data types in access