Default Domain Policy changes not applied

[rwalker76]

I've made changes to the password policy in both our root domain and child domain which don't seem to have taken effect. Viewing the policy in both GPMC and from a DCs Domain Security Policy both list the new settings, however these are not being applied to users. Changes were made a few days ago, so I'm pretty sure replication shouldn't be the problem.
All our DCs are 2003 R2, however I have been making use of the 2008 GPPs by managing GPOs from a dedicated 2008 member server.
I've run both gpotool and GPBPA, both show no problems.
I use Jiji AD reporting tool for various reports. Interestingly the report from this still shows that both default domain policies still have their original settings, not the new ones.
Any ideas what I might want to look at next?

Richard.

[pago]

As password policy and GPP have no relationship I don't regard this as the cause.

What does the RSOP report show you for an end user client & user ID combination? Do you see the new defined settings in that report?

[pago]

In addition you can check this article "Things to check when your Password Policy doesn’t apply ":
http://www.frickelsoft.net/blog/?p=137

Patrick

[rwalker76]

Thanks for the replies. I found the problem later the same day, but only just thought to update the post - sorry. We had turned on Block Inheritence filters at the Domain Controllers OU, which was stopping the new policy applying. As soon as I switched them off the policies started applying (and the helpdesk phones started ringing...)
Just checked the link Patrick left and it has this as item 3) to check.
On a related note, I quite liked having Block Inheritence as a way to protect our DCs but obviously don't want to cause more problems like this in future. Does anybody else use Block Inheritence this way and is there a 'safe' way of doing so? Does Enforce override Block Inheritence? Could I turn back on Block Inheritence at my DC OU, and also Enforce my Default Domain Policy?

Cheers again,
Richard.