Re: GPO configuration

"=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> prattled
ceaslessly in news:50DD62F2-91D2-4E7C-9F97-FF6CF7DDC452@xxxxxxxxxxxxx:

> I am still confused on this issue. What if I leave the domain
> account/password policy undefined and apply different OU
> account/password policies? It seems like this should work. Also on
> the issue of overrides - does an account/password policy applied at
> the domain level override OU level? I thought the lower GPO policies
> would overwrite the upper levels if the same setting is configured
> with different parameters. So in my question above the undefined
> policy would override the defined policy? Do account/password
> policies always override lower processed GPO policies even if you do
> not no override in the GPO? Note - these questions apply to 2000
> arena - 70-217. Thanks
>

OU Account Policies only affect local SAM accounts for the computer
accounts in that OU. All domain controllers will get their Account
Policies (Password Policies, Account Lockout Policies, and Kerberos
Policies) from the winning domain level policy and nowhere else. Also,
Account Policies are in the computer configuration of group policy and
therefore would affect computers and not users. Active Directory user
accounts will be affected by the policy the domain controllers use which
is always only from the winning domain account policies. Normally, you
would be correct that the policy closer to the object would win, but this
is the exception that proves the rule.

--
Catwalker
aka Pu$$y Feet
BS, MCP, MCSA
MCNGP #43
www.mcngp.com
faq.mcngp.com
"If man could be crossed with the cat, it would improve man, but it would
deteriorate the cat." Mark Twain
.

Relevant Pages

  • Re: Password policy, no override
    ... DCs will ignore any password policies you set at the domain controller ... I would disagree with setting the password policy on the Default ... > account and not the Domain user account object). ...
    (microsoft.public.win2000.active_directory)
  • Re: Cannot edit "Log on as a service" and "Allow log on locally" policies on W2K3 server.
    ... I am installing a new version of a program on my W2K3 SP1 server and one of the requirements is to create a "local" user account and grant this account ... However when I go into the Local Security Policy editor/Security settings/Local Policies/User Rights Assignment, I do not get the option to add or edit. ... These two policies both have different icons showing so I'm not sure what that indicates but am sure it has to do with why I cannot make any changes there. ... drill down to those settings and it'll tell you which policy is applying to those settings. ...
    (microsoft.public.windows.server.general)
  • Re: Lock Account/Logoff Time-out
    ... the newer newsgroup for group policy is ... The policies you seem to be using is are not Account Policies ... these settings apply to network logins onto the server ...
    (microsoft.public.security)
  • Re: Password requirement
    ... > I have disabled the group policy, ... Account Policies for domain user ... I don't see why you should not be able to create useraccounts, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Policy for remote users
    ... Setting the "password never expires" flag will stop the password from ... to enforce multiple policies and assign them to users, groups, and OUs. ... accounts, and this or the highest priority GPO setting account policies ...
    (microsoft.public.security)