Question : Password Policy on SBS 2003 R2: Advanced Management

I'm running a small business server 2003.

From the Server Management, I go to Advanced Management -> Group Policy Management -> Domains -> domain.local -> Small Business Server Domain Password Policy.

The current policy sets the Maximum Password Age to 14 days, and the minimum length is 8 characters.

I want 45 days and 15 characters as the minimum. So I right click on the policy, and go to edit. It brings up the Group Policy Object Editor.

I go to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -. Password Policy.

I edit Maximum password age to 45 days, and put 14 characters as minimum length (It will not let me select 15).

Now, here is the thing: Above the "Small Business Server Domain Password Policy" I have a "Default Domain Policy" that is set to 42 days for max age and 7 characters for minimum length.

There is a conflict here... why is it that when I open these to edit, GPO Editor is opened?

How do I trace these conflicting policies down and get the result that I want?!

Answer : Password Policy on SBS 2003 R2: Advanced Management

First, the easy question: the GPO Editor gets opened when you edit a GPO because...that's the tool that is used to edit GPOs.  :)

Now the rest.  You can see which policy takes precedence in the Group Policy Management Console.  In this case, both policies should be applied at the domain level (since that's the only place you can specify a password policy in 2003), so click on the domain name in the left pane of the console.  Then click on the Group Policy Inheritance tab in the right pane.  Policies higher in the list take precedence over those lower in the list.  (There are exceptions to this rule, such as when a policy is given the Enforced/No Override setting, but that's not likely true in your case.)