Active Directory Password Policy Problem
- by Will
To Clarify: my question is why isn't my password policy applying to people in the domain.
Hey guys, having trouble with our password policy in Active Directory. Sometimes it just helps me to type out what I’m seeing
It appears to not be applying properly across the board.  I am new to this environment and AD in general but I think I have a general grasp of what should be going on.
It’s a pretty simple AD setup without too many Group Policies being applied.
It looks something like this
DOMAIN
Default Domain Policy (link enabled)
Password Policy (link enabled and enforce)
Personal OU
Force Password Change (completely empty nothing in this GPO)
IT OU
Lockout Policy (link enabled and enforced)
CS OU
 Lockout Policy
Accouting OU
  Lockout Policy
The password policy and default domain policy both define the same things under Computer ConfigWindows seetings sec settings Account Policies / Password Policy
Enforce password History : 24 passwords remembered
Maximum Password age : 180 days
Min password age: 14 days
Minimum Password Length: 6 characters
Password must meet complexity requirements:  Enabled
Store Passwords using reversible encryption: Disabled
Account Policies / Account Lockout Policy
Account Lockout Duration 10080 Minutes
Account Lockout Threshold: 5 invalid login attempts
Reset Account Lockout Counter after : 30 minutes
IT lockout 
This just sets the screen saver settings to lock computers when the user is Idle.
After running Group Policy modeling it seems like the password policy and default domain policy is getting applied to everyone. 
Here is the results of group policy modeling on MO-BLANCKM using the mblanck account, as you can see the policies are both being applied , with nothing important being denied
Group Policy Results
NCLGS\mblanck on NCLGS\MO-BLANCKM
Data collected on: 12/29/2010 11:29:44 AM
Summary
Computer Configuration Summary
General
Computer name
 NCLGS\MO-BLANCKM
Domain
 NCLGS.local
Site
 Default-First-Site-Name
Last time Group Policy was processed
 12/29/2010 10:17:58 AM
Group Policy Objects
Applied GPOs
Name
 Link Location
 Revision
Default Domain Policy
 NCLGS.local
 AD (15), Sysvol (15)
WSUS-52010
 NCLGS.local/WSUS/Clients
 AD (54), Sysvol (54)
Password Policy
 NCLGS.local
 AD (58), Sysvol (58)
Denied GPOs
Name
 Link Location
 Reason Denied
Local Group Policy
 Local
 Empty
Security Group Membership when Group Policy was applied
BUILTIN\Administrators
Everyone
S-1-5-21-507921405-1326574676-682003330-1003
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NCLGS\MO-BLANCKM$
NCLGS\Admin-ComputerAccounts-GP
NCLGS\Domain Computers
WMI Filters
Name
 Value
 Reference GPO(s)
None
Component Status
Component Name
 Status
 Last Process Time
Group Policy Infrastructure
 Success
 12/29/2010 10:17:59 AM
EFS recovery
 Success (no data)
 10/28/2010 9:10:34 AM
Registry
 Success
 10/28/2010 9:10:32 AM
Security
 Success
 10/28/2010 9:10:34 AM
User Configuration Summary
General
User name
 NCLGS\mblanck
Domain
 NCLGS.local
Last time Group Policy was processed
 12/29/2010 11:28:56 AM
Group Policy Objects
Applied GPOs
Name
 Link Location
 Revision
Default Domain Policy
 NCLGS.local
 AD (7), Sysvol (7)
IT-Lockout
 NCLGS.local/Personal/CS
 AD (11), Sysvol (11)
Password Policy
 NCLGS.local
 AD (5), Sysvol (5)
Denied GPOs
Name
 Link Location
 Reason Denied
Local Group Policy
 Local
 Empty
Force Password Change
 NCLGS.local/Personal
 Empty
Security Group Membership when Group Policy was applied
NCLGS\Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
NCLGS\MissingSkidEmail
NCLGS\Customer_Service
NCLGS\Email_Archive
NCLGS\Job Ticket Users
NCLGS\Office Staff
NCLGS\CUSTOMER SERVI-1
NCLGS\Prestige_Jobs_Email
NCLGS\Telecommuters
NCLGS\Everyone - NCL
WMI Filters
Name
 Value
 Reference GPO(s)
None
Component Status
Component Name
 Status
 Last Process Time
Group Policy Infrastructure
 Success
 12/29/2010 11:28:56 AM
Registry
 Success
 12/20/2010 12:05:51 PM
Scripts
 Success
 10/13/2010 10:38:40 AM
Computer Configuration
Windows Settings
Security Settings
Account Policies/Password Policy
Policy
 Setting
 Winning GPO
Enforce password history
 24 passwords remembered
 Password Policy
Maximum password age
 180 days
 Password Policy
Minimum password age
 14 days
 Password Policy
Minimum password length
 6 characters
 Password Policy
Password must meet complexity requirements
 Enabled
 Password Policy
Store passwords using reversible encryption
 Disabled
 Password Policy
Account Policies/Account Lockout Policy
Policy
 Setting
 Winning GPO
Account lockout duration
 10080 minutes
 Password Policy
Account lockout threshold
 5 invalid logon attempts
 Password Policy
Reset account lockout counter after
 30 minutes
 Password Policy
Local Policies/Security Options
Network Security
Policy
 Setting
 Winning GPO
Network security: Force logoff when logon hours expire
 Enabled
 Default Domain Policy
Public Key Policies/Autoenrollment Settings
Policy
 Setting
 Winning GPO
Enroll certificates automatically
 Enabled
 [Default setting]
Renew expired certificates, update pending certificates, and remove revoked certificates
 Disabled
Update certificates that use certificate templates
 Disabled
Public Key Policies/Encrypting File System
Properties
Winning GPO
 [Default setting]
Policy
 Setting
Allow users to encrypt files using Encrypting File System (EFS)
 Enabled
Certificates
Issued To
 Issued By
 Expiration Date
 Intended Purposes
 Winning GPO
SBurns
 SBurns
 12/13/2007 5:24:30 PM
 File Recovery
 Default Domain Policy
For additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authorities
Properties
Winning GPO
 [Default setting]
Policy
 Setting
Allow users to select new root certification authorities (CAs) to trust
 Enabled
Client computers can trust the following certificate stores
 Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria
 Registered in Active Directory only
Administrative Templates
Windows Components/Windows Update
Policy
 Setting
 Winning GPO
Allow Automatic Updates immediate installation
 Enabled
 WSUS-52010
Allow non-administrators to receive update notifications
 Enabled
 WSUS-52010
Automatic Updates detection frequency
 Enabled
 WSUS-52010
Check for updates at the following
interval (hours):
 1
Policy
 Setting
 Winning GPO
Configure Automatic Updates
 Enabled
 WSUS-52010
Configure automatic updating:
 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:
 0 - Every day
Scheduled install time:
 03:00
Policy
 Setting
 Winning GPO
No auto-restart with logged on users for scheduled automatic updates installations
 Disabled
 WSUS-52010
Re-prompt for restart with scheduled installations
 Enabled
 WSUS-52010
Wait the following period before
prompting again with a scheduled
restart (minutes):
 30
Policy
 Setting
 Winning GPO
Reschedule Automatic Updates scheduled installations
 Enabled
 WSUS-52010
Wait after system
startup (minutes):
 1
Policy
 Setting
 Winning GPO
Specify intranet Microsoft update service location
 Enabled
 WSUS-52010
Set the intranet update service for detecting updates:
 http://lavender
Set the intranet statistics server:
 http://lavender
(example: http://IntranetUpd01)
User Configuration
Administrative Templates
Control Panel/Display
Policy
 Setting
 Winning GPO
Hide Screen Saver tab
 Enabled
 IT-Lockout
Password protect the screen saver
 Enabled
 IT-Lockout
Screen Saver
 Enabled
 IT-Lockout
Screen Saver executable name
 Enabled
 IT-Lockout
Screen Saver executable name
 sstext3d.scr
Policy
 Setting
 Winning GPO
Screen Saver timeout
 Enabled
 IT-Lockout
Number of seconds to wait to enable the Screen Saver
Seconds:
 1800
System/Power Management
Policy
 Setting
 Winning GPO
Prompt for password on resume from hibernate / suspend
 Enabled
 IT-Lockout