Re: GPO configuration

From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
Date: Tue, 5 Jul 2005 17:46:04 -0500

It configures any computer in the domain controllers container which by
default would only be domain controllers. Because of such it is also a good
idea to never move a domain controller out of the domain controller
container which actually is an OU. You can however configure child OU's in
the domain controller container if you have special needs to apply different
policy [other than password/account policy] to groups of domain
controllers. Say you have one domain controller that you want regular users
to logon to which normally is not good practice but I have heard of some
configuring a domain controller to be a Terminal Server. Often peoples
budgets outweigh certain security concerns but that is the real world.. ---
Steve

"Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AAD2682E-2CD0-439E-ACA4-41A91FD40806@xxxxxxxxxxxxxxxx
> Another question - Does the default domain controller policy effect all
> domain controllers or the one on which modifications are made?
>
> "Steven L Umbach" wrote:
>
>> There natively is no possible way to override/bypass domain password
>> policy
>> for domain users. Again, domain controllers read ONLY the domain
>> container
>> GPO's for password/account policy. If you undefine a password/account
>> policy
>> setting that means "no change" from current configuration.
>> Password/account
>> policy is one of the few exceptions to the normal way GP is applied and
>> this
>> naturally confuses a lot of users. You can use the command " net
>> accounts "
>> on a domain controller to find out most domain password policy settings
>> other than complexity. The link below explains also. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
>>
>> "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:50DD62F2-91D2-4E7C-9F97-FF6CF7DDC452@xxxxxxxxxxxxxxxx
>> >I am still confused on this issue. What if I leave the domain
>> > account/password policy undefined and apply different OU
>> > account/password
>> > policies? It seems like this should work. Also on the issue of
>> > overrides -
>> > does an account/password policy applied at the domain level override OU
>> > level? I thought the lower GPO policies would overwrite the upper
>> > levels
>> > if
>> > the same setting is configured with different parameters. So in my
>> > question
>> > above the undefined policy would override the defined policy? Do
>> > account/password policies always override lower processed GPO policies
>> > even
>> > if you do not no override in the GPO? Note - these questions apply to
>> > 2000
>> > arena - 70-217.
>> > Thanks
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Within the native operating system there can be only one
>> >> password/account
>> >> policy for "domain" users and this is defined only at the domain
>> >> level.
>> >> The
>> >> domain controllers apply password policy and they read the policy from
>> >> the
>> >> winning domain level policy that has password policy defined which in
>> >> a
>> >> fresh install would be Domain Security Policy. However any domain
>> >> linked
>> >> GPO
>> >> could apply the password policy and the GPO at the top of the list has
>> >> highest priority. When configuring a password/account policy make sure
>> >> that
>> >> you do not change defined settings to "undefined" to reverse or
>> >> disable
>> >> them. A good example is password complexity. If you want to disable it
>> >> for
>> >> some reason change the domain level policy to disabled and not
>> >> undefined
>> >> as
>> >> undefined will not disable it.
>> >>
>> >> There are ways to use custom passfilt.dll to have different password
>> >> policies for different users/computers in a domain. Writing and
>> >> installing a
>> >> passfilt.dll correctly is not a trivial matter and takes a good
>> >> programmer
>> >> and there are third party applications that can do such. In my
>> >> opinion
>> >> it
>> >> makes sense to have a strong password/account policy for all domain
>> >> users
>> >> and to train users how to conform to it. Training users to use pass
>> >> phrases
>> >> instead of passwords can help immensely. Instead of remembering
>> >> T65r)*xn
>> >> as
>> >> a password they could use a favorite phrase such as A spoonful of
>> >> sugar!
>> >> which is a long complex password. Train them to leave the spaces in
>> >> the
>> >> passphrase. For sensitive accounts consider using smart cards and
>> >> configuring the user account to require a smart card for logon.
>> >>
>> >> In Windows 2000/2003 domains are NOT security boundaries - forests
>> >> are.
>> >> You
>> >> can create external or possibly forest trusts [in Windows 2003] to
>> >> allow
>> >> resources to users from a different forest. Remember that admins in
>> >> the
>> >> root
>> >> forest domain are all powerful in a forest. --- Steve
>> >>
>> >>
>> >> "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:79A7C1D9-7FD0-44A2-86C2-3E86D264F2DB@xxxxxxxxxxxxxxxx
>> >> > Hi,
>> >> > I am confused on the issue of Domains and security boundries. Can I
>> >> > have
>> >> > different password policies in the same domain? Couldn't I have one
>> >> > policy
>> >> > that has a 6 character password requirement and link it to a GPO for
>> >> > the
>> >> > general user, and then have a 12 character password requirement for
>> >> > admin
>> >> > group linked through a GPO? Also what happens when you have a GPO
>> >> > like
>> >> > this
>> >> > with password requirements linked to a site that crosses domains?
>> >> > Does
>> >> > it
>> >> > just not process or execute properly?
>> >> > Thanks - Wayner
>> >>
>> >>
>> >>
>>
>>
>>

.

References:
- GPO configuration
  - From: Wayne
- Re: GPO configuration
  - From: Steven L Umbach
- Re: GPO configuration
  - From: Wayne
- Re: GPO configuration
  - From: Steven L Umbach
- Re: GPO configuration
  - From: Wayne

Prev by Date: Re: 70-290 Questions
Next by Date: Re: Trial install on laptop, display problem
Previous by thread: Re: GPO configuration
Next by thread: Re: GPO configuration
Index(es):
- Date
- Thread

Relevant Pages

Re: SBS 2003 Lost all the Security Policies.
... i didn't use dcgpofix i used another sbs 2003 premium has example and created the policies manually. ... I know that your Default Domain Controller Security Policy or Domain Security Policy it is empty. ... DCGPOFIX.EXE will restore the Default Domain Policy and the Default Domain Controller Policy to original default settings. ...
(microsoft.public.windows.server.sbs)
Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
(microsoft.public.windowsxp.setup_deployment)
Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
(microsoft.public.windows.server.active_directory)
Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
(microsoft.public.windows.server.security)
Re: W2K Server / XP Pro Clients / Group Policy -- LOCK TASKBAR
... make your dns configuration is correct in that domain controllers point ... The policy you are trying to implement is a "user" configuration policy and therefore ... > machines connecting to a Windows 2000 Domain Controller. ...
(microsoft.public.windowsxp.security_admin)