Windows-Server-2008

未從預設域策略應用密碼策略的 Active Directory GPO

  • October 14, 2011

行。我已經實施了密碼策略。我從以前的文章中知道它不能在 OU 中應用,所以我從預設域策略中配置了它。我從客戶端電腦執行 RSOP.msc,策略設置與源 GPO“預設域策略”一起顯示。所以看起來它正在工作,但事實並非如此。例如,我有一個複雜性要求,但它接受密碼“a”。它還允許我在設置為 89 天的“最短密碼使用期限”時在 Windows 安全性中更改我的密碼。顯然,該政策並未真正實施!

該怎麼辦?

RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 XXXXXX
Domain Type:                 Windows 2000
Site Name:                   XXXXXX
Roaming Profile:
Local Profile:               C:\Documents and Settings\XXXXX
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

   CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com
   Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
   Group Policy was applied from:      tfs.corp.emergingmed.com
   Group Policy slow link threshold:   0 kbps

   Applied Group Policy Objects
   -----------------------------
       Published Software
       Copy of Base
       Default Domain Policy

   The following GPOs were not applied because they were filtered out
   -------------------------------------------------------------------
       Local Group Policy
           Filtering:  Not Applied (Empty)

   The computer is a part of the following security groups:
   --------------------------------------------------------
       BUILTIN\Administrators
       Everyone
       SQLServerMSSQLServerADHelperUser$XXXXX
       BUILTIN\Users
       NT AUTHORITY\NETWORK
       NT AUTHORITY\Authenticated Users
       XXXXXXX$
       Domain Computers
       People


USER SETTINGS
--------------
   CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com
   Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
   Group Policy was applied from:      tfs.corp.XXXXX.com
   Group Policy slow link threshold:   0 kbps

   Applied Group Policy Objects
   -----------------------------
       Published Software
       Startup Scripts
       Copy of Base
       Default Domain Policy

   The following GPOs were not applied because they were filtered out
   -------------------------------------------------------------------
       Local Group Policy
           Filtering:  Not Applied (Empty)

   The user is a part of the following security groups:
   ----------------------------------------------------
       Domain Users
       Everyone
       BUILTIN\Administrators
       Remote Desktop Users
       BUILTIN\Users
       NT AUTHORITY\INTERACTIVE
       NT AUTHORITY\Authenticated Users
       LOCAL

密碼策略應應用於帳戶數據庫所在伺服器的 OU。如果您嘗試控制活動目錄上的密碼,這意味著您的策略應應用於域控制器 OU。如果您在域控制器 OU 上阻止了繼承,那麼修改預設情況下連結在根目錄的預設域策略將不會滿足您的要求。

通過在預設域級別設置策略,您可能正在控制工作站的密碼策略。我的意思是您工作站上的本地帳戶現在有密碼要求。嘗試創建本地帳戶並設置密碼。

這部分與您在 Windows 2008 之前的域中不能擁有多個密碼策略的原因相同。該策略必須應用於所有域控制器,因此無法區分不同的使用者/電腦。

即使使用2008 年的細粒度策略,您也不能簡單地使用組策略,您必須在 LDAP 中設置特殊屬性以使不同的對象針對不同的密碼策略。

引用自:https://serverfault.com/questions/321603