Figuring Out Which GPO’s Policy Is Taking Precedence

Q: I recently noticed that I can specify short or even blank passwords for local accounts—even the administrator account—on member servers despite the fact that the Default Domain Policy for our domain requires passwords to be at least eight characters and the Require passwords to meet complexity requirements feature to be enabled. I thought that domain-level settings overrode a computer’s local policy. Why isn’t that happening in this case?

A: The value defined for any policy (e.g., the minimum password length defined as eight) in Group Policy Objects (GPOs) overrides any value defined for the same policy in the computer’s local policy object. A computer’s local policy takes effect only if no applicable GPO in Active Directory (AD) has a defined value for a given policy. However, more than one GPO in AD might define a value for the same policy. For example, one GPO might define eight as the minimum password length while another GPO might define 0.

When a computer applies multiple GPOs, it does so starting at the root of the domain and working down through the branch of organizational units (OUs) leading to the computer’s account. Policies defined higher in the OU structure are overridden by conflicting policies in lower OUs. The logic is that lower GPOs are closer to the computer, so their policies should carry more weight.

Most likely, the reason your member servers are allowing simple or blank passwords is that a GPO linked to a lower OU on the path to the servers is overriding the Default Domain Policy, which is linked to the root of the domain and therefore takes less precedence compared to any OU-linked GPOs.

The following are a couple other possible explanations:

  • The permissions on the Default Domain Policy GPO might have been modified so that the member servers lack either Apply Group Policy or Read permissions.
  • An OU on the path to the member servers’ computer objects has the Block policy inheritance feature enabled, which blocks higher GPOs from being applied.
  • A Windows Management Instrumentation (WMI) filter on the Default Domain Policy GPO is excluding the GPO from the member servers.

An excellent free tool to help you diagnose the problem is the Microsoft Management Console (MMC) Group Policy Management Console (GPMC) snap-in, which you can download from

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.