Re: GPO security settings not applied
From: Henri Visser (henri.visser_at_microsoft.com)
Date: 02/17/05
- Next message: Henri Visser: "Copy user profile to C:\ destroys Windows installation"
- Previous message: Malik: "USB"
- In reply to: Cary Shultz [A.D. MVP]: "Re: GPO security settings not applied"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: GPO security settings not applied"
- Reply: Cary Shultz [A.D. MVP]: "Re: GPO security settings not applied"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 17 Feb 2005 15:00:04 -0000
So, what can I do to stop certain users (for example: IT, Directors) from
having the more restrictive security settings that the general domain users
have. Would I have to create an OU above the GPO with the general password
policy?
Thanks
Henri Visser
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:uWUZamJFFHA.1836@tk2msftngp13.phx.gbl...
> Lara,
>
> I promise that I am not following you!
>
> The Password Policy is indeed set at the Domain - level. I like to use
> the Domain Security Policy to set this. You can do this in the Default
> Domain Policy if you like.....
>
> However, you can indeed set a password policy at the OU - level! Please
> note that this would be set on an OU in which computer account objects
> directly reside and would affect only local user accounts ( note: not
> domain user account objects! ).
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:42139e9f$1_5@alt.athenanews.com...
>> "Henri Visser" wrote:
>> > Hi,
>> >
>> > I have the following OU & GPO structure:
>> >
>> > Domain - Default Domain GPO
>> > |_ Company - Company GPO
>> > |_ Head Office
>> > |_ IT - IT GPO - Enforced - Block Inheritance
>> > |_ Finance
>> > |_ Marketing
>> > |_ etc...
>> > |_ Branch 1
>> > |_ Branch 2
>> > |_ etc...
>> >
>> > Default domain GPO has been left as installed.
>> >
>> > I have set some security options in the Company GPO. (Password
>> > length,
>> > expiry, time before change allowed, etc.)
>> >
>> > I have blocked inheritance on the IT OU and created a GPO for
>> > the IT OU that
>> > has some security options (password never expires, no minimum
>> > time on
>> > password, etc)
>> >
>> > My user and computer are both in the IT OU, however when I try
>> > to change my
>> > password it appears as if I have the password related settings
>> > from the
>> > Company GPO. User settings in the IT GPO (ex. IE settings) etc
>> > are applied
>> > correctly.
>> >
>> > Any ideas?
>> >
>> > Thank you very much
>> >
>> > Henri Visser, MCSE 2000
>>
>> Hi,
>>
>> Security Settings like Password length etc need to be set at the
>> Domain Level to be applied. That is what the MS documentation says. It
>> is not something you can set at the lower OU's.
>>
>> That is by design. I haven't found a way around it yet.
>>
>> Cheers,
>>
>> Lara
>>
>> --
>> Posted using the http://www.windowsforumz.com interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.windowsforumz.com/Group-Policy-GPO-security-settings-applied-ftopict265797.html
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.windowsforumz.com/eform.php?p=832195
>
>
- Next message: Henri Visser: "Copy user profile to C:\ destroys Windows installation"
- Previous message: Malik: "USB"
- In reply to: Cary Shultz [A.D. MVP]: "Re: GPO security settings not applied"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: GPO security settings not applied"
- Reply: Cary Shultz [A.D. MVP]: "Re: GPO security settings not applied"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
