密码策略的 Active Directory GPO 未从默认域策略应用

tag-icon tag-icon windows-server-2008 active-directory group-policy password
密码策略的 Active Directory GPO 未从默认域策略应用

好的。我已经实施了密码策略。我从以前的帖子中知道它不能在 OU 内应用,所以我从默认域策略中配置了它。我从客户端计算机运行 RSOP.msc,策略设置与源 GPO“默认域策略”一起显示。所以看起来它正在工作,但实际上不是。例如,我有一个复杂性要求,但它接受密码“a”。它还允许我在 Windows 安全中更改密码,而设置的“最短密码使用期限”为 89 天。显然,该策略实际上并未应用!

该怎么办?

RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 XXXXXX
Domain Type:                 Windows 2000
Site Name:                   XXXXXX
Roaming Profile:
Local Profile:               C:\Documents and Settings\XXXXX
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com
    Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
    Group Policy was applied from:      tfs.corp.emergingmed.com
    Group Policy slow link threshold:   0 kbps

    Applied Group Policy Objects
    -----------------------------
        Published Software
        Copy of Base
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SQLServerMSSQLServerADHelperUser$XXXXX
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        XXXXXXX$
        Domain Computers
        People


USER SETTINGS
--------------
    CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com
    Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
    Group Policy was applied from:      tfs.corp.XXXXX.com
    Group Policy slow link threshold:   0 kbps

    Applied Group Policy Objects
    -----------------------------
        Published Software
        Startup Scripts
        Copy of Base
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        Remote Desktop Users
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL

答案1

密码策略应应用于帐户数据库所在服务器的 OU。如果您尝试控制活动目录上的密码,则意味着您的策略应应用于域控制器 OU。如果您在域控制器 OU 上阻止了继承,则修改默认链接在根目录的默认域策略将无法达到您想要的效果。

通过在默认域级别设置策略,您可能正在控制工作站的密码策略。我的意思是,工作站上的本地帐户现在将具有密码要求。尝试创建一个本地帐户并设置密码。

这在一定程度上与 Windows 2008 之前的域中不能拥有多个密码策略的原因相同。该策略必须应用于所有域控制器,因此无法区分不同的用户/计算机。

即使细粒度策略在 2008 年您不能简单地使用组策略,您必须在 LDAP 中设置特殊属性以使不同的对象针对不同的密码策略。

相关内容