Generally assigning policies to containers should work. There’s normal inheritance in play: policies assigned directly to a user will trump all overs, and from there on all containers up to the root are checked. The first object for which a policy is found stops the process.
You can verify which policies are in effect for a particular user with the command line tool »univention-policy-result« (example of how to run it: »univention-policy-result -D uid=administrator,cn=users,$(ucr get ldap/base) -W uid=mbunkus,cn=users,$(ucr get ldap/base)«).
For example, I have a user called mbunkus. There’s a global policy regarding passwords, it’s called »cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mbu-test,dc=intranet«, and by default this is assigned to the root of the LDAP tree.
If I change the policy for e.g. the container object for all the users (cn=users) to a policy called »cn=safe-passwords,cn=policies,dc=mbu-test,dc=intranet« and execute the tool I get these results (shortened to the relevant part):
[code][0 root@master ~] univention-policy-result -D uid=administrator,cn=users,$(ucr get ldap/base) -W uid=mbunkus,cn=users,$(ucr get ldap/base)
Enter LDAP Password:
DN: uid=mbunkus,cn=users,dc=mbu-test,dc=intranet
POLICY uid=mbunkus,cn=users,dc=mbu-test,dc=intranet
…
Policy: cn=safe-passwords,cn=policies,dc=mbu-test,dc=intranet
Attribute: univentionPWHistoryLen
Value: 3
Policy: cn=safe-passwords,cn=policies,dc=mbu-test,dc=intranet
Attribute: univentionPWExpiryInterval
Value: 30
Policy: cn=safe-passwords,cn=policies,dc=mbu-test,dc=intranet
Attribute: univentionPWLength
Value: 16
Policy: cn=safe-passwords,cn=policies,dc=mbu-test,dc=intranet
Attribute: univentionPWQualityCheck
Value: TRUE[/code]
So what you should do is:
[ol][li]Check the user object with the aforementioned »univention-policy-result«.[/li]
[li]If step 1 shows policies you would not expect then verify each LDAP tree node from the user object on up to the root node to see where policies are assigned and where they’re set to inherited (UMC: domain → LDAP directory → right-click on a node, select »edit« → [Policies]).[/li][/ol]