Group Policy issue - password enforcement 1

[disturbedone]

I am attempting to apply a new GPO for a new password policy. This is part of a process of moving to W7. DCs are W2K8R2.

I have a new OU structure specifically for this. The (simplified) structure is:

domain.local
  EXIST
    USERS
    COMPUTERS
  NEW
    USERS
    COMPUTERS

There is a GPO at the domain.local level which looks like the default policy. This is not set to 'enforce' so it shouldn't affect the EXIST or NEW OUs. As it is, both the EXIST and NEW OUs have 'block inheritance' enabled. Another GPO is on the EXIST OU which is basically the same but has min length and min age slightly different and has no lockout setting - I believe this is the one in effect.

I've created a new GPO with much better settings and applied it to the domain.local/NEW/WORKSTATIONS OU as password policies are computer based not user. I have a test W7 computer in that OU but I can still change my password to things that don't meet the policy requirements. I have run gpupdate /force several times but it doesn't make a difference.

I've always had problems with the Group Policy Results Wizard on the existing XP clients. Mostly that was due to Windows Firewall on the client. But in this case the firewall is off but it still won't run and gives the error:

Failed to connect to DOMAIN\computer due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of the target computer for further details. Details: The RPC server is unavailable.

The WMI service is started. So is the Remote Procedure Call (RPC) service. Nothing shows up at all in any event log on the client computer.

So there's a couple of issues - it appears the GPO is not applying (why not?) and the GPRW won't let me check what GPOs are being applied and any errors.

Any ideas?

 

[58sniper]

Unless you're attempting to define Fine Grained Password Policies, which takes quite a bit of work, your password policy needs to be defined in the Default Domain Policy.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.

 

[disturbedone]

Interesting. I didn't realise that (to quote Highlander) there can be only one.

The only reason I was going to do 2 was to have one for staff/senior students and one for junior students. Junior students are aged 5-10 and I was not going to enforce complex passwords and the requirements to change it frequently. But in thinking about it a complex password can actually be quite simple eg Password1 contains 3 (uppercase, lowercase, numerals) of the 5 required character types. and as long as it doesn't contact 3 of the user's username then it should be fine. For simple generic users (for the really young students) that have even simpler passwords eg cat54321 I could tick the 'password never expires' option.