Re: GPO configuration

Tech-Archive recommends: Fix windows errors by optimizing your registry

In article <Xns968A8033A4C81catwalker63athotmail@xxxxxxxxxxxxxx>,
_catwalker63_@xxxxxxxxxxxxxxx says...
> "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> prattled
> ceaslessly in news:50DD62F2-91D2-4E7C-9F97-FF6CF7DDC452@xxxxxxxxxxxxx:
>
> > I am still confused on this issue. What if I leave the domain
> > account/password policy undefined and apply different OU
> > account/password policies? It seems like this should work. Also on
> > the issue of overrides - does an account/password policy applied at
> > the domain level override OU level? I thought the lower GPO policies
> > would overwrite the upper levels if the same setting is configured
> > with different parameters. So in my question above the undefined
> > policy would override the defined policy? Do account/password
> > policies always override lower processed GPO policies even if you do
> > not no override in the GPO? Note - these questions apply to 2000
> > arena - 70-217. Thanks
> >
>
> OU Account Policies only affect local SAM accounts for the computer
> accounts in that OU. All domain controllers will get their Account
> Policies (Password Policies, Account Lockout Policies, and Kerberos
> Policies) from the winning domain level policy and nowhere else.

Not quite - the effective settings applied for Account policies are
resolved like they are for any other GPO setting - not at the policy
level, hence there is no "winning policy" per se.

> Also,
> Account Policies are in the computer configuration of group policy and
> therefore would affect computers and not users. Active Directory user
> accounts will be affected by the policy the domain controllers use which
> is always only from the winning domain account policies. Normally, you
> would be correct that the policy closer to the object would win, but this
> is the exception that proves the rule.
>
>
.

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
    (microsoft.public.windows.server.sbs)
  • Re: Password policy, no override
    ... DCs will ignore any password policies you set at the domain controller ... I would disagree with setting the password policy on the Default ... > account and not the Domain user account object). ...
    (microsoft.public.win2000.active_directory)
  • Re: Cannot edit "Log on as a service" and "Allow log on locally" policies on W2K3 server.
    ... I am installing a new version of a program on my W2K3 SP1 server and one of the requirements is to create a "local" user account and grant this account ... However when I go into the Local Security Policy editor/Security settings/Local Policies/User Rights Assignment, I do not get the option to add or edit. ... These two policies both have different icons showing so I'm not sure what that indicates but am sure it has to do with why I cannot make any changes there. ... drill down to those settings and it'll tell you which policy is applying to those settings. ...
    (microsoft.public.windows.server.general)
  • Re: GPO configuration
    ... > account/password policy undefined and apply different OU ... > the domain level override OU level? ... I thought the lower GPO policies ... All domain controllers will get their Account ...
    (microsoft.public.cert.exam.mcse)
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)