Problems setting up password policies with Windows 2000 Professional
I have one Windows 2000 test server with one Windows 2000 Pro Workstation, all with current updates SP4 etc. The problem I'm having is setting password policies from the OU. I have one OU "IS" with one GPO, "ISGPO" and they won't run. I can only get the password polices to work from within the default domain GPO. My computer object and user objects are under my OU and I have no override checks on any GPO's. I only have one GPO -- "IS" -- so it's not like I am troubleshooting several GPO's. Also, all of the other policies from within my "ISGPO" work just fine.
Windows domain can only have one password policy. If you implement a password policy from an OU, it will only affect the local accounts on the computers in that OU, not the domain accounts. So, for example: Fred has a domain account FredP; he has a local account on his computer, FP. The domain password policy is a 12character password. The local computer password policy is a 20character password. When Fred logs onto the domain as FredP, he can use a 12 character password. But when he logs on to his computer as FP, he must use a 20 character password. This is just the way it is. The password policy for the domain is set in the default domain GPO, and only that one will work for the users using domain accounts.
This was first published in November 2003