1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Active Directory - Policy being applied even though not linked to OU

Discussion in 'Software' started by GSteer, Feb 8, 2011.

  1. GSteer

    GSteer Megabyte Poster

    627
    31
    109
    Afternoon All,

    Got an odd bug here, wondered if anyone had had anything similar in the past - it's more of an ongoing annoyance as it doesn't really stop them working.

    Server/Domain:

    Windows Server 2008 R2 DC x2, Domain @ Windows Server 2003 Functional Level

    The Situation:

    We have a client with multiple physical locations, these are mapped to OU's at the top level, ie

    Domain.local

    -> Location 1

    -> Location 2

    -> Location 3

    • A Users OU under Location 3 has a GP linked that sets it's password policy, this has a Minimum Age value set at 1 day amongst other settings.
    • Location 1 / 2 do not have this policy linked in any OU's, and it is not linked at the domain level.
    • The Default Domain Policy only includes settings for: Minimum Password Length ( 8 ), Complexity Requirements (Enabled) and Reversible Encryption (Disabled)

    The Problem:

    Users anywhere in the domain, irrespective if their OU, are being limited by the minimum 1 day password age and cannot reset until this time has elapsed.

    Tests:

    I have done a GP model based on a user affected last Friday - output is that he should not have been limited by the 1 day, it does not show in the output, yet he could not change his password until he retried on Monday.
    I have confirmed on the Location 1 -> Users OU that the GP Inheritance only shows the Default Domain Policy and an old SBS policy, non of which set the Minimum Password Age value.

    Question:

    Any ideas why this may be happening or a solution to rectify?
     
    Last edited: Feb 8, 2011
    Certifications: BSc. (Comp. Sci.), MBCS, MCP [70-290], Specialist [74-324], Security+, Network+, A+, Tea Lord: Beverage Brewmaster | Courses: LFS101x Introduction to Linux (edX)
    WIP: CCNA Routing & Switching
  2. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Odd. Since you're running at 2K3 functional level, you can only have one password policy in a domain - set at the domain level. Anything you set anywhere else in the domain (with the exception, of course, of child domains) is worthless - so straightaway the extraneous GPOs in OU 3 should NOT be taking effect. Are you sure that the minimum age isn't set in the default domain policy? Don't forget that password policies are computer-based, not user-based.

    Maybe you should dial up userenv logging for some better testing (gpresult is a useful tool for quick and easy fixes, but a PITA when looking for more detail). Google 'usernev logging' and you'll find a Technet article on how to set the level a bit higher (though be prepared for some yawns whilst you trawl through the subsequent logs looking for the relevant information :biggrin)
     
    Certifications: A few
    WIP: None - f*** 'em
  3. GSteer

    GSteer Megabyte Poster

    627
    31
    109
    Didn't know that about the password policy limit, cheers.

    Yes can confirm that the default policy has only the three items stated, linked at the top domain level. It's quite a basic setup to be truthful so there isn't much in that default policy.

    I'll take a look in to that.
     
    Certifications: BSc. (Comp. Sci.), MBCS, MCP [70-290], Specialist [74-324], Security+, Network+, A+, Tea Lord: Beverage Brewmaster | Courses: LFS101x Introduction to Linux (edX)
    WIP: CCNA Routing & Switching

Share This Page

Loading...