How Policies Work

If you were Registered and logged in, you could reply and use other advanced thread options

Posted by Kim on November 17, 2006, 2:43 pm

In the following situation which policy will win?

                                              Enforce password history

Default Domain Policy                              Not defined
Default Domain Controller Policy               Not defined
Local Domain Controller Policy                     24 days

My problem is when a users profile is set to change at next logon (because I
don't want to know there password) if they select a password that was used in
the last 24 days it won't accept it.  I would have thought that the default
domain policy or default domain controller policy would have taken precedence.

Any answers would be greatly appreciated.

Kim

Posted by Roger Abell [MVP] on November 18, 2006, 12:32 am

Not defined does not mean no policy, it just means that
there is no definition of the specific policy in that GPO.
Notice that many policies are tri-state, such as not defined,
enabled, disabled. A setting of not defined is a no-op and
has no effect.
Now, usually Account policies only have affect on domain
accounts when these are set in a GPO linked to the domain.
I have at times noticed it seems some are effective for domain
accounts when set in a GPO linked to the DC OU. Given the
possible GPOs that you have listed, either this "odd" behavior
(that is not supposed to happen) is operative here, or, more
likely, the shipped default or last set value at the domain level
is being used (i.e. the 24 in the DC OU linked GPO only appears
to be winning, but in fact, no GPO linked to the domain sets the
policy so the last set value is being effective).