Results 1 to 7 of 7
  1. #1
    Star Lounger
    Join Date
    Dec 2009
    Location
    Columbus, OH
    Posts
    66
    Thanks
    12
    Thanked 5 Times in 4 Posts

    Forcing Group Policy on AD Server

    We just recently upgraded our domain to the following:
    Add Exchange Server 2007 on a Windows Server 2008 system.
    Move mailboxes from old AD/Exchange Server 2003 on Windows Server 2003 to new Exchange server.
    Followed procedures to remove Exchange from old server.
    Added a new Windows Server 2008 AD DC. Made it primary, siezed roles from old server and turned off old server.
    Everything is running well now.

    Here's our issue: The old AD/Exchange Server had some configuration corruptions that prevented it from running Group Policy, among other things. One of those policies requires domain users in a specific OU to reset their password every 90 days. That policy (along with others) is not working. My question is, when I run "gpupdate /force" will it immediately require reset of passwords older than 90 days or will it start fresh with a new 90 day countdown?

    Thank you in advance for your input.

    Rick.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 985 Times in 915 Posts
    gpupdate /force only works on clients, so you can test it on one or two and if all is well you can hit them all at once. If not you can stagger.

    Have you used GPRESULT or RSOP.MSC to check that the policy is applied to the clients?
    https://technet.microsoft.com/en-gb/.../bb456989.aspx
    http://www.howtogeek.com/116184/how-...-user-account/

    cheers, Paul

  3. #3
    Star Lounger
    Join Date
    Dec 2009
    Location
    Columbus, OH
    Posts
    66
    Thanks
    12
    Thanked 5 Times in 4 Posts
    Ok, I have completely removed the group policy for that OU and set it up again. I have run the RSOP on the server against my computer and the results say it all works. No errors. I have run gpupdate /force on my computer and rebooted it. I still don't get a prompt to change my password and it is more than the required 90 days old. What else could be the problem? I'm at a loss to understand why the Group Policy is not working for us. We have successfully set it up at several remote locations in those domains and all is working. Please help.

    Thanks
    Rick
    Last edited by rmallen07; 2015-06-30 at 14:38. Reason: Correct wording

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 985 Times in 915 Posts
    Password change is a domain controller activity so the policy must be set on your DCs.

    cheers, Paul

  5. #5
    Star Lounger
    Join Date
    Dec 2009
    Location
    Columbus, OH
    Posts
    66
    Thanks
    12
    Thanked 5 Times in 4 Posts
    My apologies, our AD server IS our DC. The only one we're running. We have the default domain with users who have email addresses on our domain. I have created an OU for only the people and computers that are located at the Corporate Office. In that OU I have set up the policy in question. I have run gpupdate /force on the client computer we're testing with. The password policy says it needs to be reset every 90 days. The password on that client is more than 6 months old. My question is whether the new policy will start counting from the day it was created or will it recognize that the password is already past the reset time?

    Thank you for your help,
    Rick

  6. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 985 Times in 915 Posts
    The client computer has nothing to do with the password reset policy, it's the DC you must check.
    https://redmondmag.com/Articles/2011...-Policies.aspx

    I don't know if the change happens immediately, but I expect it would as password age > policy requirement.

    cheers, Paul

  7. #7
    Star Lounger
    Join Date
    Dec 2009
    Location
    Columbus, OH
    Posts
    66
    Thanks
    12
    Thanked 5 Times in 4 Posts
    Paul,
    Thanks for the link. What I discovered was that I couldn't set the policy on an OU subordinate to the default domain policy. Once I set it in the default domain policy (it is a computer policy, not a user policy so the users with emails that don't have computers on the domain are not effected) I was able to get it to work successfully.

    Thanks again,
    Rick

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •