Re: OU vs. Domain GPO's
From: John J. Rambone (lgm_rambone_at_remove.hotmail.com)
Date: 03/29/04
- Next message: Justin Allen: "RE: Moving all users in subdomains to root domain"
- Previous message: Cary Shultz [A.D. MVP]: "Re: New server setup"
- In reply to: Cary Shultz [A.D. MVP]: "Re: OU vs. Domain GPO's"
- Next in thread: Chriss3: "Re: OU vs. Domain GPO's"
- Reply: Chriss3: "Re: OU vs. Domain GPO's"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 28 Mar 2004 21:44:21 -0800
Well, we have a web based time clock program that is used by people in the
company that do not have computers. I have setup a kiosk machine here and
there (different sites), but there are a few locations where it makes sense
so use for example the warehouse computer, etc. On those computers I've
setup a local user just so people can login to and punch in and out for
work. (issue is people forget to change form domain to local computer and
back again). I was hoping to move away from local users and setup a domain
user with a locked down setup. I just wanted the password to be blank.
Another issue is a user will leave their computer open and then non-computer
user will go the website to clock out or in and start surfing on that
computer.
These issues are user education related, etc. Just trying to save myself a
phone call or two every now and then.
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:Of%23oWAUFEHA.2868@TK2MSFTNGP12.phx.gbl...
> John,
>
> No, password policy is set at the domain level. And there can be only
one.
> If you set a password policy at the OU level it will not affect the users,
> it will affect whatever computer account objects ( local accounts
> passwords ) might be contained in that particular OU.
>
> The only way that I could think that this *might* work would be to undo
the
> password complexity setting and create the user account with the
> userAccountControl attribute set to '66048' ( the 'Password never expires'
> checkbox checked - maybe use ldifde to create the user account? ) and then
> later reset the password complexity. Not really sure that you want to
start
> messing with this, though. I am not sure that I understand why you would
> want to have this nice password policy / complexity for the entire domain
> and then have one account that would be vulnerable. What are you trying
to
> do with this one account.
>
> BTW - you are correct in that *typically* the pecking order for GPOs is
> Local, Site, Domain and OU. However, as this is a password policy it is
> specifically set at the domain level ( either via the Default Domain
Policy
> or the Domain Security Policy - either one works ).
>
>
> HTH,
>
> Cary
>
> "John J. Rambone" <lgm_rambone@remove.hotmail.com> wrote in message
> news:drM9c.16096$Q45.8663@fed1read02...
> > I have created an OU for 1 user. I have locked down the OU so the only
> > thing that appears is a start menu and IE and IE is locked down to only
go
> > to 1 address inside the company. I want the 1 user to have a blank
> > password, but I have complex password defined for my Domain. I thought
> the
> > OU took precedence over the domain gpo. Is there a work around for
this?
> >
> > John J.
> >
> >
>
>
- Next message: Justin Allen: "RE: Moving all users in subdomains to root domain"
- Previous message: Cary Shultz [A.D. MVP]: "Re: New server setup"
- In reply to: Cary Shultz [A.D. MVP]: "Re: OU vs. Domain GPO's"
- Next in thread: Chriss3: "Re: OU vs. Domain GPO's"
- Reply: Chriss3: "Re: OU vs. Domain GPO's"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
