I recently upgraded our domain from WinNT to Win2K Server SP2 in mixed mode without DNS services running on it (the domain SRV records are still not manually registered by the University-controlled DNS servers; this is pending); it was a domain I inherited when I started my job two months ago. Now that the domain is up, I find there are unique security settings hindering me from performing some basic operations: [1] No user has the right to change their password at logon so I can't check "user must change password at next logon." I tried the MS fix for this (giving rights to EVERYONE to change passwords); I even affixed this at the AD root with no success. Users can login and change their passwords after login, however, so there is a workaround. [2] Policies are having no effect. I can create policies and affix them to OU's with no success. It's as if they don't exist at all. I'm not sure if these are related issues. My test domain doesn't have the SRV records registered either and performed fine with the above two scenarios. I think it's some residual security settings from the WinNT domain but I'm not sure what would hinder this kind of activity in Win2K. Would love any suggestions anyone might have. Thanks!

Are you using all W2k clients? I'm sure you realize the group policies will only be applied to w2k clients.