Active Directory 密码策略问题

澄清一下：我的问题是为什么我的密码策略不适用于域中的人员。

大家好，我们在 Active Directory 中的密码策略遇到了问题。有时它只是帮助我输入我看到的内容

似乎没有全面应用。我对这个环境和 AD 还不熟悉，但我认为我大致了解应该怎么做。

这是一个非常简单的 AD 设置，无需应用太多的组策略。

它看起来像这样：

DOMAIN

  Default Domain Policy (link enabled)

  Password Policy (link enabled and enforce)



Personal OU

  Force Password Change (completely empty nothing in this GPO)

  IT OU

    Lockout Policy (link enabled and enforced)

  CS OU

     Lockout Policy

  Accouting OU

      Lockout Policy



The password policy and default domain policy both define the same things under Computer Config>Windows seetings> sec settings> Account Policies / Password Policy



Enforce password History : 24 passwords remembered

Maximum Password age : 180 days

Min password age: 14 days

Minimum Password Length: 6 characters

Password must meet complexity requirements:  Enabled

Store Passwords using reversible encryption: Disabled



Account Policies / Account Lockout Policy



Account Lockout Duration 10080 Minutes

Account Lockout Threshold: 5 invalid login attempts

Reset Account Lockout Counter after : 30 minutes





IT lockout 



This just sets the screen saver settings to lock computers when the user is Idle.







After running Group Policy modeling it seems like the password policy and default domain policy is getting applied to everyone. 



Here is the results of group policy modeling on MO-BLANCKM using the mblanck account, as you can see the policies are both being applied , with nothing important being denied



Group Policy Results

NCLGS\mblanck on NCLGS\MO-BLANCKM

Data collected on: 12/29/2010 11:29:44 AM



Summary

Computer Configuration Summary

General

Computer name
 NCLGS\MO-BLANCKM

Domain
 NCLGS.local

Site
 Default-First-Site-Name

Last time Group Policy was processed
 12/29/2010 10:17:58 AM


Group Policy Objects

Applied GPOs

Name
 Link Location
 Revision

Default Domain Policy
 NCLGS.local
 AD (15), Sysvol (15)

WSUS-52010
 NCLGS.local/WSUS/Clients
 AD (54), Sysvol (54)

Password Policy
 NCLGS.local
 AD (58), Sysvol (58)


Denied GPOs

Name
 Link Location
 Reason Denied

Local Group Policy
 Local
 Empty


Security Group Membership when Group Policy was applied

BUILTIN\Administrators
Everyone
S-1-5-21-507921405-1326574676-682003330-1003
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NCLGS\MO-BLANCKM$
NCLGS\Admin-ComputerAccounts-GP
NCLGS\Domain Computers

WMI Filters

Name
 Value
 Reference GPO(s)

None


Component Status

Component Name
 Status
 Last Process Time

Group Policy Infrastructure
 Success
 12/29/2010 10:17:59 AM

EFS recovery
 Success (no data)
 10/28/2010 9:10:34 AM

Registry
 Success
 10/28/2010 9:10:32 AM

Security
 Success
 10/28/2010 9:10:34 AM


User Configuration Summary

General

User name
 NCLGS\mblanck

Domain
 NCLGS.local

Last time Group Policy was processed
 12/29/2010 11:28:56 AM


Group Policy Objects

Applied GPOs

Name
 Link Location
 Revision

Default Domain Policy
 NCLGS.local
 AD (7), Sysvol (7)

IT-Lockout
 NCLGS.local/Personal/CS
 AD (11), Sysvol (11)

Password Policy
 NCLGS.local
 AD (5), Sysvol (5)


Denied GPOs

Name
 Link Location
 Reason Denied

Local Group Policy
 Local
 Empty

Force Password Change
 NCLGS.local/Personal
 Empty


Security Group Membership when Group Policy was applied

NCLGS\Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
NCLGS\MissingSkidEmail
NCLGS\Customer_Service
NCLGS\Email_Archive
NCLGS\Job Ticket Users
NCLGS\Office Staff
NCLGS\CUSTOMER SERVI-1
NCLGS\Prestige_Jobs_Email
NCLGS\Telecommuters
NCLGS\Everyone - NCL

WMI Filters

Name
 Value
 Reference GPO(s)

None


Component Status

Component Name
 Status
 Last Process Time

Group Policy Infrastructure
 Success
 12/29/2010 11:28:56 AM

Registry
 Success
 12/20/2010 12:05:51 PM

Scripts
 Success
 10/13/2010 10:38:40 AM


Computer Configuration

Windows Settings

Security Settings

Account Policies/Password Policy

Policy
 Setting
 Winning GPO

Enforce password history
 24 passwords remembered
 Password Policy

Maximum password age
 180 days
 Password Policy

Minimum password age
 14 days
 Password Policy

Minimum password length
 6 characters
 Password Policy

Password must meet complexity requirements
 Enabled
 Password Policy

Store passwords using reversible encryption
 Disabled
 Password Policy


Account Policies/Account Lockout Policy

Policy
 Setting
 Winning GPO

Account lockout duration
 10080 minutes
 Password Policy

Account lockout threshold
 5 invalid logon attempts
 Password Policy

Reset account lockout counter after
 30 minutes
 Password Policy


Local Policies/Security Options

Network Security

Policy
 Setting
 Winning GPO

Network security: Force logoff when logon hours expire
 Enabled
 Default Domain Policy


Public Key Policies/Autoenrollment Settings

Policy
 Setting
 Winning GPO

Enroll certificates automatically
 Enabled
 [Default setting]

Renew expired certificates, update pending certificates, and remove revoked certificates
 Disabled

Update certificates that use certificate templates
 Disabled




Public Key Policies/Encrypting File System

Properties


 Winning GPO
 [Default setting]

Policy
 Setting


Allow users to encrypt files using Encrypting File System (EFS)
 Enabled




Certificates

Issued To
 Issued By
 Expiration Date
 Intended Purposes
 Winning GPO

SBurns
 SBurns
 12/13/2007 5:24:30 PM
 File Recovery
 Default Domain Policy



For additional information about individual settings, launch Group Policy Object Editor.

Public Key Policies/Trusted Root Certification Authorities

Properties


 Winning GPO
 [Default setting]

Policy
 Setting


Allow users to select new root certification authorities (CAs) to trust
 Enabled


Client computers can trust the following certificate stores
 Third-Party Root Certification Authorities and Enterprise Root Certification Authorities


To perform certificate-based authentication of users and computers, CAs must meet the following criteria
 Registered in Active Directory only




Administrative Templates

Windows Components/Windows Update

Policy
 Setting
 Winning GPO

Allow Automatic Updates immediate installation
 Enabled
 WSUS-52010

Allow non-administrators to receive update notifications
 Enabled
 WSUS-52010

Automatic Updates detection frequency
 Enabled
 WSUS-52010

Check for updates at the following

interval (hours):
 1



Policy
 Setting
 Winning GPO

Configure Automatic Updates
 Enabled
 WSUS-52010

Configure automatic updating:
 4 - Auto download and schedule the install

The following settings are only required

and applicable if 4 is selected.

Scheduled install day:
 0 - Every day

Scheduled install time:
 03:00



Policy
 Setting
 Winning GPO

No auto-restart with logged on users for scheduled automatic updates installations
 Disabled
 WSUS-52010

Re-prompt for restart with scheduled installations
 Enabled
 WSUS-52010

Wait the following period before

prompting again with a scheduled

restart (minutes):
 30



Policy
 Setting
 Winning GPO

Reschedule Automatic Updates scheduled installations
 Enabled
 WSUS-52010

Wait after system

startup (minutes):
 1



Policy
 Setting
 Winning GPO

Specify intranet Microsoft update service location
 Enabled
 WSUS-52010

Set the intranet update service for detecting updates:
 http://lavender

Set the intranet statistics server:
 http://lavender

(example: http://IntranetUpd01)




User Configuration

Administrative Templates

Control Panel/Display

Policy
 Setting
 Winning GPO

Hide Screen Saver tab
 Enabled
 IT-Lockout

Password protect the screen saver
 Enabled
 IT-Lockout

Screen Saver
 Enabled
 IT-Lockout

Screen Saver executable name
 Enabled
 IT-Lockout

Screen Saver executable name
 sstext3d.scr



Policy
 Setting
 Winning GPO

Screen Saver timeout
 Enabled
 IT-Lockout

Number of seconds to wait to enable the Screen Saver



Seconds:
 1800




System/Power Management

Policy
 Setting
 Winning GPO

Prompt for password on resume from hibernate / suspend
 Enabled
 IT-Lockout