Skip navigation
Menu
Security

Figuring Out Which GPO’s Policy Is Taking Precedence

Q: I recently noticed that I can specify short or even blank passwords for local accounts—even the administrator account—on member servers despite the fact that the Default Domain Policy for our domain requires passwords to be at least eight characters and the Require passwords to meet complexity requirements feature to be enabled. I thought that domain-level settings overrode a computer’s local policy. Why isn’t that happening in this case?

A: The value defined for any policy (e.g., the minimum password length defined as eight) in Group Policy Objects (GPOs) overrides any value defined for the same policy in the computer’s local policy object. A computer’s local policy takes effect only if no applicable GPO in Active Directory (AD) has a defined value for a given policy. However, more than one GPO in AD might define a value for the same policy. For example, one GPO might define eight as the minimum password length while another GPO might define 0.

When a computer applies multiple GPOs, it does so starting at the root of the domain and working down through the branch of organizational units (OUs) leading to the computer’s account. Policies defined higher in the OU structure are overridden by conflicting policies in lower OUs. The logic is that lower GPOs are closer to the computer, so their policies should carry more weight.

Most likely, the reason your member servers are allowing simple or blank passwords is that a GPO linked to a lower OU on the path to the servers is overriding the Default Domain Policy, which is linked to the root of the domain and therefore takes less precedence compared to any OU-linked GPOs.

The following are a couple other possible explanations:

  • The permissions on the Default Domain Policy GPO might have been modified so that the member servers lack either Apply Group Policy or Read permissions.
  • An OU on the path to the member servers’ computer objects has the Block policy inheritance feature enabled, which blocks higher GPOs from being applied.
  • A Windows Management Instrumentation (WMI) filter on the Default Domain Policy GPO is excluding the GPO from the member servers.

An excellent free tool to help you diagnose the problem is the Microsoft Management Console (MMC) Group Policy Management Console (GPMC) snap-in, which you can download from http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en.

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024