Re: where to apply?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 09/19/04 

Date: Sun, 19 Sep 2004 11:03:27 -0400

Hello Me!

in-line....

"Me" <me@myco.com> wrote in message
news:eotok0pabaa5hh3e6qg2n9ru82d0lgfce0@4ax.com...
> On Sat, 18 Sep 2004 12:52:08 -0400, "Cary Shultz [A.D. MVP]"
> <cwshultz@mvps.org> wrote:
>
> >Hello Me!
> >
> >I guess that this would be Mini Me writing to you? But is that possible
at
> >6' / 210 lbs to be called 'Mini-Me'? Probably not!
> >
> >This is a basic question. But a good one and one that often comes up.
So,
> >if you have it they you know that a ton of others have it as well.
> >
> >Password Policy is a special animal. There can be only one password
policy
> >per domain and you apply it to the domain level ( through the Domain
> >Security Policy ). Period!
> >
> >You can not have a password policy applied to the OU level and have it
apply
> >to any domain user accounts. That policy would, however, apply to any
local
> >user accounts to any computer account objects that might reside in the OU
to
> >which this password policy GPO was linked. What does that mean? Say
that
> >you have an OU in which there are 15 computer account objects: pc01,
pc02,
> >pc03, etc. You apply the password policy GPO to his OU. At the next
reboot
> >of the computers user account logging on locally ( to the computer, not
to
> >the domain ) will be affected by this password policy.
> >
> >Does this make sense?
>
> Does it make sense ... Let me see ... if for example I was stuborn and
> still wanted to apply password policy to an OU I would have to have
> all the user and computer accounts in that OU or sub OU... AND ..... (
> note the .... is me thinking ) I would have to have all those users
> logon locally to their machiines!?!

I think that the one thing about which you do not want to be stubborn is in
accepting the fact that there can be only one Password Policy per domain.
Period. If you need to have multiple password policies then you need to
have multiple domains!

I probably should not have included the part about the OUs as it tends to
confuse people for whom this topic is not clear. So, forget about that.
Clearly having people log on to their local machines ( and not to the
domain ) is not acceptable.

> Further, if I wanted to apply password policy to some users only,
> (with all users logging in the domain which is of course the best) I
> would have to link the gpo to the domain and then deny the users I
> didn't want to have it to that gpo yes?

The Password Policy affects all user account objects. Period. There is no
way to selectively enforce to which user account objects this policy either
applies or does not apply. To simplify why, think of it this way ( I think
that Paul explained it in a similar fashion - co credit goes to him! ): you
are setting the Password Policy so that the Domain Controller(s) know what
type of password it/they will accept when authenticating. Does this help
you to better understand this? This is why the Password Policy is set at
the Computer Configuration. It is really for the Domain Controllers!

> >Mini Me! aka Cary
>
> Thanks Mini Me. BTW - I gladly call you Mini Me for helping me out! :)

Thanks, Me!

Mini-Me.

>
>
>
> >"Me" <me@myco.com> wrote in message
> >news:l4mok09q7lkhfb4j883u528a4v0iboej4i@4ax.com...
> >> I know this a GPO 101 type question but any help would be welcome..
> >>
> >> Let's say you have a 2003 domain with a single user OU called
> >> employees. You want to set a password policy so that employees have
> >> complex passwords. Do you link it to the domain or Employees OU and
> >> why?
> >>
> >> Sounds like a test question I know but I would set it at the
> >> employees OU because I may want to create another OU later and not
> >> apply the GPO there. Does this make sense or should I just link it to
> >> the domain and deny permissions to it for the new OU I create?
> >>
> >> Thanks for any advice.
> >
>

Relevant Pages

  • Re: Simple question on Password Policy
    ... The password policy is enforced by whatever computer owns the user account. ... Default Domain policy so that it is enforced by all domain member computers ... For domain user accounts, it is the domain ... those computers enforce whatever password policy applies to ...
    (microsoft.public.win2000.group_policy)
  • Re: Password policy question
    ... > We currently have a Windows 2003 and Novell 5 infrastructure. ... When I set a password policy on my Win2003 domain will it take ... > 60 days and the user accounts have never had to change before? ... > settings than the domain policy For example the default is change ...
    (microsoft.public.windows.server.active_directory)
  • RE: How to Enforce Complex Password Policy for Selected Users Only
    ... We use Password Policy ... and effects ALL user accounts for that domain. ... How to Enforce Complex Password Policy for Selected Users Only ...
    (Focus-Microsoft)
  • Re: where to apply?
    ... >Password Policy is a special animal. ... >user accounts to any computer account objects that might reside in the OU to ... You apply the password policy GPO to his OU. ... Thanks Mini Me. ...
    (microsoft.public.win2000.group_policy)
  • Re: where to apply?
    ... Password Policy is a special animal. ... user accounts to any computer account objects that might reside in the OU to ... You want to set a password policy so that employees have ...
    (microsoft.public.win2000.group_policy)