Re: Block Policy Inheritance not working as anticipated
From: bottomfeeder (bottomfeeder_at_discussions.microsoft.com)
Date: 07/20/04
- Next message: Gary Mudgett [MSFT]: "Re: Local Group Membership not Persistent"
- Previous message: bottomfeeder: "RE: Block Policy Inheritance not working as anticipated"
- In reply to: Steven L Umbach: "Re: Block Policy Inheritance not working as anticipated"
- Next in thread: bottomfeeder: "RE: Block Policy Inheritance not working as anticipated"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 19 Jul 2004 18:17:02 -0700
Thanks Steve.
"Steven L Umbach" wrote:
> Password/account policy for domain users can only be configured at the domain level,
> and any attempts to bypass it will not work. Think of it as having a permanent no
> override applied to it. You would have to create another domain to have different
> password/account policy. You can configure AD accounts to "not expire" in account
> properties to bypass the password age setting if that helps. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
>
> "bottomfeeder" <bottomfeeder@discussions.microsoft.com> wrote in message
> news:5CB08C55-1367-4AA8-8950-269A80A927ED@microsoft.com...
> > I have a Domain Controller running Windows 2000 Server. The Domain container
> (root) has a GPO (Default Domian Policy) with password policies defined (complexity,
> history, length and age). Below the Domain container I have 3 OUs (Accounts, Domain
> Controllers and Groups). Only the Domain Controllers OU has it's own GPO (Default
> Domain Controllers Policy). This policy does not have any password policies defined.
> >
> > Below the Accounts OU I have a child OU (EM Mailbox) that contains User accounts.
> I have one GPO set for this OU which does not have any password policies defined. I
> have selected the check box for "Block Policy Inheritance" under the Group Policy tab
> of the EM Mailbox properties.
> >
> > I expected this to block the password policy settings from GPO on the Domain
> Container (root), but it has not worked. On the Domain Controller I have issued the
> following command after selecting the Block Policy Inheritance check box:
> >
> > secedit /refreshpolicy machine_policy /enforce
> >
> > I also restarted the Domain Controller after issueing the secedit command above.
> >
> > I am still unable to create a new user account in the EM Mailbox OU without being
> subject to the password policies set in the GPO associated with the Domain Container
> (root). I need to be able to create the new user account using a password that does
> not meet all the password requirements set in the Domain Container's GPO.
> >
> > Does anyone have any suggestions?
> >
> > Thanks in advance!!
>
>
>
- Next message: Gary Mudgett [MSFT]: "Re: Local Group Membership not Persistent"
- Previous message: bottomfeeder: "RE: Block Policy Inheritance not working as anticipated"
- In reply to: Steven L Umbach: "Re: Block Policy Inheritance not working as anticipated"
- Next in thread: bottomfeeder: "RE: Block Policy Inheritance not working as anticipated"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
