Windows-Server-2008
未從預設域策略應用密碼策略的 Active Directory GPO
行。我已經實施了密碼策略。我從以前的文章中知道它不能在 OU 中應用,所以我從預設域策略中配置了它。我從客戶端電腦執行 RSOP.msc,策略設置與源 GPO“預設域策略”一起顯示。所以看起來它正在工作,但事實並非如此。例如,我有一個複雜性要求,但它接受密碼“a”。它還允許我在設置為 89 天的“最短密碼使用期限”時在 Windows 安全性中更改我的密碼。顯然,該政策並未真正實施!
該怎麼辦?
RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode ---------------------------------------------------------- OS Type: Microsoft Windows XP Professional OS Configuration: Member Workstation OS Version: 5.1.2600 Domain Name: XXXXXX Domain Type: Windows 2000 Site Name: XXXXXX Roaming Profile: Local Profile: C:\Documents and Settings\XXXXX Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM Group Policy was applied from: tfs.corp.emergingmed.com Group Policy slow link threshold: 0 kbps Applied Group Policy Objects ----------------------------- Published Software Copy of Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups: -------------------------------------------------------- BUILTIN\Administrators Everyone SQLServerMSSQLServerADHelperUser$XXXXX BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users XXXXXXX$ Domain Computers People USER SETTINGS -------------- CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM Group Policy was applied from: tfs.corp.XXXXX.com Group Policy slow link threshold: 0 kbps Applied Group Policy Objects ----------------------------- Published Software Startup Scripts Copy of Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Domain Users Everyone BUILTIN\Administrators Remote Desktop Users BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL
密碼策略應應用於帳戶數據庫所在伺服器的 OU。如果您嘗試控制活動目錄上的密碼,這意味著您的策略應應用於域控制器 OU。如果您在域控制器 OU 上阻止了繼承,那麼修改預設情況下連結在根目錄的預設域策略將不會滿足您的要求。
通過在預設域級別設置策略,您可能正在控制工作站的密碼策略。我的意思是您工作站上的本地帳戶現在有密碼要求。嘗試創建本地帳戶並設置密碼。
這部分與您在 Windows 2008 之前的域中不能擁有多個密碼策略的原因相同。該策略必須應用於所有域控制器,因此無法區分不同的使用者/電腦。
即使使用2008 年的細粒度策略,您也不能簡單地使用組策略,您必須在 LDAP 中設置特殊屬性以使不同的對象針對不同的密碼策略。