Re: GPO configuration

Thanks - Wayne

"Steven L Umbach" wrote:

> There natively is no possible way to override/bypass domain password policy
> for domain users. Again, domain controllers read ONLY the domain container
> GPO's for password/account policy. If you undefine a password/account policy
> setting that means "no change" from current configuration. Password/account
> policy is one of the few exceptions to the normal way GP is applied and this
> naturally confuses a lot of users. You can use the command " net accounts "
> on a domain controller to find out most domain password policy settings
> other than complexity. The link below explains also. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
>
> "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:50DD62F2-91D2-4E7C-9F97-FF6CF7DDC452@xxxxxxxxxxxxxxxx
> >I am still confused on this issue. What if I leave the domain
> > account/password policy undefined and apply different OU account/password
> > policies? It seems like this should work. Also on the issue of
> > overrides -
> > does an account/password policy applied at the domain level override OU
> > level? I thought the lower GPO policies would overwrite the upper levels
> > if
> > the same setting is configured with different parameters. So in my
> > question
> > above the undefined policy would override the defined policy? Do
> > account/password policies always override lower processed GPO policies
> > even
> > if you do not no override in the GPO? Note - these questions apply to
> > 2000
> > arena - 70-217.
> > Thanks
> >
> > "Steven L Umbach" wrote:
> >
> >> Within the native operating system there can be only one password/account
> >> policy for "domain" users and this is defined only at the domain level.
> >> The
> >> domain controllers apply password policy and they read the policy from
> >> the
> >> winning domain level policy that has password policy defined which in a
> >> fresh install would be Domain Security Policy. However any domain linked
> >> GPO
> >> could apply the password policy and the GPO at the top of the list has
> >> highest priority. When configuring a password/account policy make sure
> >> that
> >> you do not change defined settings to "undefined" to reverse or disable
> >> them. A good example is password complexity. If you want to disable it
> >> for
> >> some reason change the domain level policy to disabled and not undefined
> >> as
> >> undefined will not disable it.
> >>
> >> There are ways to use custom passfilt.dll to have different password
> >> policies for different users/computers in a domain. Writing and
> >> installing a
> >> passfilt.dll correctly is not a trivial matter and takes a good
> >> programmer
> >> and there are third party applications that can do such. In my opinion
> >> it
> >> makes sense to have a strong password/account policy for all domain users
> >> and to train users how to conform to it. Training users to use pass
> >> phrases
> >> instead of passwords can help immensely. Instead of remembering T65r)*xn
> >> as
> >> a password they could use a favorite phrase such as A spoonful of sugar!
> >> which is a long complex password. Train them to leave the spaces in the
> >> passphrase. For sensitive accounts consider using smart cards and
> >> configuring the user account to require a smart card for logon.
> >>
> >> In Windows 2000/2003 domains are NOT security boundaries - forests are.
> >> You
> >> can create external or possibly forest trusts [in Windows 2003] to allow
> >> resources to users from a different forest. Remember that admins in the
> >> root
> >> forest domain are all powerful in a forest. --- Steve
> >>
> >>
> >> "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:79A7C1D9-7FD0-44A2-86C2-3E86D264F2DB@xxxxxxxxxxxxxxxx
> >> > Hi,
> >> > I am confused on the issue of Domains and security boundries. Can I
> >> > have
> >> > different password policies in the same domain? Couldn't I have one
> >> > policy
> >> > that has a 6 character password requirement and link it to a GPO for
> >> > the
> >> > general user, and then have a 12 character password requirement for
> >> > admin
> >> > group linked through a GPO? Also what happens when you have a GPO like
> >> > this
> >> > with password requirements linked to a site that crosses domains? Does
> >> > it
> >> > just not process or execute properly?
> >> > Thanks - Wayner
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Loopback replace mode
    ... For security settings which are defined by more than one policy, ... Organizational Unit Policy ... The only problem comes from the "No override". ... shutdown setting from the existing domain level policy, create a new GPO ...
    (microsoft.public.win2000.group_policy)
  • Re: Loopback replace mode
    ... For security settings which are defined by more than one policy, ... Organizational Unit Policy ... The only problem comes from the "No override". ... shutdown setting from the existing domain level policy, create a new GPO ...
    (microsoft.public.windows.group_policy)
  • Re: Password Policy & GPO Settings
    ... I apply the GPO at domain level policy, an after, in their security tab, i filter the scope of the GPO: ... > No, a password policy is for DOMAN, not for DomainControllers; you must> specify your password policy in the domain security settings, not domain> controller security settings;-)) ...
    (microsoft.public.win2000.active_directory)
  • Re: group policy
    ... It'll only override conflicts. ... level and then different settings at the OU level both will be applied. ... If the computer configuration part of the OU-linked GPO isn't processing, ... group and the deny process policy permission on the policies DACL. ...
    (microsoft.public.win2000.active_directory)
  • Re: Default Domain password policy issue
    ... Source GPO found. ... policy and the source GPO to see if they are what you expect. ... Domain Security Policy if password policy is configured in a GPO above ... I logged into one of our domain controllers, ran gpupdate, then ...
    (microsoft.public.windows.group_policy)