Re: GPOs for Local Password Policies

From: Danny Sanders (Danny.Sanders_at_cpcNOmedSPAM.org)
Date: 11/03/04 

Date: Wed, 3 Nov 2004 12:09:27 -0700

Account policies are one to a domain. The reason being if there are
resources on a domain that are sensitive enough to require complex
passwords, setting anything short of all accounts to meet this requirement
amounts to creating a security hole.Why waste time trying to brute force a
complex password when you can brute force a simple password on the same
domain?

Differing account policies is a major reason for creating another domain.

hth
DDS W 2k MVP MCSE

"Stephen Chapman" <sbchapman@yahoo.com> wrote in message
news:8c0a862a.0411031020.162f67f3@posting.google.com...
> A GPO query for Windows 2000 AD, XP & 2000 workstations.
>
> I have a default domain GPO defining "Passwords must meet complexity
> requirements", and several other settings with No Overrride set. This
> is to update local policy settings on domain workstations. I have a
> small collection of PCs that should not have password complexity set -
> I thought that the way to acheive this would be to apply a Deny to the
> Default Domain GPO with a group I added the computers to, and create a
> second copy GPO which contained all settings except password
> complexity requirements and only permission this to the computer group
> .... so far so good ...
>
> The problem I have in the lab is that the updates dont appear to be
> working. If I reset the policy on the DC, and then run gpupdate /force
> and then gpresult /z I dont see the updates on the workstations.
> I have disabled slow link detection and tried removing and adding a
> workstation back to the domain - even renaming / adding new GPOs but
> the machine seems to stick with the policy its domwnloaded even an
> hour ago - if I rename the GPO, gpresult still shows the old name an
> hour later. I've enven rebooted the DC & the workstation, but I seem
> to get unpredicable results.
>
> Does anyone have any suggestions or a link to a good doc on GPOs.
>
> Thanks in Advance

Relevant Pages

  • Re: Problem with Group Policies
    ... Account Policies is at the GPO linked to the domain, ... with some settings not being applied from a Default Domain Policy. ... I have created a Default Domain Policy at the root Domain and have applied ...
    (microsoft.public.win2000.group_policy)
  • Re: Problem with Group Policies
    ... Account Policies is at the GPO linked to the domain, ... with some settings not being applied from a Default Domain Policy. ... I have created a Default Domain Policy at the root Domain and have applied ...
    (microsoft.public.win2000.group_policy)
  • Re: Problem with Group Policies
    ... GPO that can't be done at the site level, and only can be done at the domain ... Most of the other computer configuration settings will propagate from ... As long as you have only set up the Account Policies in the GPO linked to ... recommend just configuring the Default Domain Policy in each domain. ...
    (microsoft.public.win2000.group_policy)
  • Re: starting over with GPO
    ... If set differently in a GPO linked to an OU the Account policies ... that it has both domain linked and OU linked policy settings being ... the default domain policy so they don't get applied the same settings. ...
    (microsoft.public.windows.group_policy)
  • RE: Filter GPO by group
    ... Technet recommends to not alter the default Domain policy, ... a new GPO, link it to the domain and enforce it. ... can you still stop those settings from ... > You cannot set account policies more than once in a Domain. ...
    (microsoft.public.windows.server.active_directory)