# Solved: Client gets policy from Local Server Policy NOT Domain policy



## attman (Aug 15, 2008)

Hi guys

I have Server 2003 and have created a staff password policy by going into AD, right clicking an OU and Group Policy etc.

However, my client (which is a member of the OU) is picking up its policy from the Local Computer Policy on the server NOT the policy on the OU.

So I can change the required length requirement under AD and nothing, go into gpedit.msc and change it and it affects the client.

Can someone please tell me what I've done wrong?

Thanks........


----------



## Rockn (Jul 29, 2001)

Have you set the group policy based on the user or computer settings? Are the user and computer accounts inside of the OU you have applied this policy to?


----------



## attman (Aug 15, 2008)

To set the password length I go into:

Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy

And set length and complexity.

I cant see where else I could do that...

I'm not sure what you mean by asking are the computer accounts inside the OU.

Thanks


----------



## Rockn (Jul 29, 2001)

You have to have the computer account in the OU it is to be applied to. Go to AD users & computers and move the computer account in question into the appropriate OU. You may need to restart the computer for the policy to apply.


----------



## attman (Aug 15, 2008)

You've worked out that I'm no expert at this so thanks.

If I move the computer that the user uses into the OU, what happens if the user logs on from a different machine?

Thanks again


----------



## Rockn (Jul 29, 2001)

If the user switches computer the policy will not be applied since you applied it to that OU level. If you want this to apply to everyone you need to set it at a higher level OU. If you want it to apply to a select group then you need all of the computers for that group inside of that OU. Password policy only applies to the computer account.


----------



## attman (Aug 15, 2008)

I've moved the Computer into the OU and I have the same result.

On the server I have the Local policy, set with gpedit.msc, to require 10 chars.
The Policy on the OU requires 8 chars with complexity.

Both the User and the client computer being used are in the OU

The PC was restarted and when I press CTRL-Alt-Del and request a password change to (example) 1 char it tells me I have to enter 10 chars (the policy from the local machine not the OU).

So at the moment this still doesnt work. I guess I could cope with this if you could put complexity on the password for local machine but this is grayed out. (and I guess why should I just accept it  )

Thanks again.

During the course of trying to work this out I added test user. After entering a password it required me to enter 10 chars NOT 8 so this doesnt seem to be an OU issue at all, all my new users seem to be pick up the server local policy not the domain policy.


----------



## Rockn (Jul 29, 2001)

I would run the group policy results wizard against one of the computer and user accounts that are not getting the domain poilcy ans see what is actually being applied. There may be a default domain policy being applied higher up that is set to mandatory.


----------



## attman (Aug 15, 2008)

OK - understand a lot more and I know what the answer is.

Ultimately with Server 2003 you can only apply a password policy to the domain, not to OUs. This is a feature of 2008 apparently so maybe I will need to upgrade to that.

Thanks again guys.


----------



## Rockn (Jul 29, 2001)

You can set your OU's to not inherit from the higher level OU's.


----------

