When you change the password policy, the changes are not applied as expected.
This issue can occur in either of the following scenarios:
- The Block Policy Inheritance option is enabled on the Domain Controllers organizational unit.
- The password policy is not set in the Default Domain policy.
To resolve this issue, disable the Block Policy Inheritance option on the Domain Controllers organizational unit:
- Start the Active Directory Users and Computers snap-in.
- Right-click the Domain Controllers organizational unit, click Properties, and then click to clear the Block Policy Inheritance check box.
- On the domain controllers, run the following command:secedit /refreshpolicy machine_policy /enforce
This behavior is by design.
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.