Re: GPO configuration
- From: "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 5 Jul 2005 08:36:05 -0700
I am still confused on this issue. What if I leave the domain
account/password policy undefined and apply different OU account/password
policies? It seems like this should work. Also on the issue of overrides -
does an account/password policy applied at the domain level override OU
level? I thought the lower GPO policies would overwrite the upper levels if
the same setting is configured with different parameters. So in my question
above the undefined policy would override the defined policy? Do
account/password policies always override lower processed GPO policies even
if you do not no override in the GPO? Note - these questions apply to 2000
arena - 70-217.
Thanks
"Steven L Umbach" wrote:
> Within the native operating system there can be only one password/account
> policy for "domain" users and this is defined only at the domain level. The
> domain controllers apply password policy and they read the policy from the
> winning domain level policy that has password policy defined which in a
> fresh install would be Domain Security Policy. However any domain linked GPO
> could apply the password policy and the GPO at the top of the list has
> highest priority. When configuring a password/account policy make sure that
> you do not change defined settings to "undefined" to reverse or disable
> them. A good example is password complexity. If you want to disable it for
> some reason change the domain level policy to disabled and not undefined as
> undefined will not disable it.
>
> There are ways to use custom passfilt.dll to have different password
> policies for different users/computers in a domain. Writing and installing a
> passfilt.dll correctly is not a trivial matter and takes a good programmer
> and there are third party applications that can do such. In my opinion it
> makes sense to have a strong password/account policy for all domain users
> and to train users how to conform to it. Training users to use pass phrases
> instead of passwords can help immensely. Instead of remembering T65r)*xn as
> a password they could use a favorite phrase such as A spoonful of sugar!
> which is a long complex password. Train them to leave the spaces in the
> passphrase. For sensitive accounts consider using smart cards and
> configuring the user account to require a smart card for logon.
>
> In Windows 2000/2003 domains are NOT security boundaries - forests are. You
> can create external or possibly forest trusts [in Windows 2003] to allow
> resources to users from a different forest. Remember that admins in the root
> forest domain are all powerful in a forest. --- Steve
>
>
> "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:79A7C1D9-7FD0-44A2-86C2-3E86D264F2DB@xxxxxxxxxxxxxxxx
> > Hi,
> > I am confused on the issue of Domains and security boundries. Can I have
> > different password policies in the same domain? Couldn't I have one policy
> > that has a 6 character password requirement and link it to a GPO for the
> > general user, and then have a 12 character password requirement for admin
> > group linked through a GPO? Also what happens when you have a GPO like
> > this
> > with password requirements linked to a site that crosses domains? Does it
> > just not process or execute properly?
> > Thanks - Wayner
>
>
>
.
- Follow-Ups:
- Re: GPO configuration
- From: catwalker63
- Re: GPO configuration
- From: Steven L Umbach
- Re: GPO configuration
- References:
- GPO configuration
- From: Wayne
- Re: GPO configuration
- From: Steven L Umbach
- GPO configuration
- Prev by Date: Re: GPO configuration
- Next by Date: Re: Wow... just wow.
- Previous by thread: Re: GPO configuration
- Next by thread: Re: GPO configuration
- Index(es):
Relevant Pages
|
