Re: RSoP Lockout Account

Thanks for that Mar-Elia, but I just find it quite unbelievable that such a
massive drawback in the whole AD schema is hardly written about or discuused
in MS press, documents, guides etc, especially when MS tools like RSoP
incorrectly report that Account Policies for GPOs applied to OUs will apply!

"Darren Mar-Elia" wrote:

> Account Policy, or more specifically any items within Computer
> Configuration\Windows Settings\Security Settings\Account Policies, for
> *domain accounts* (i.e. not local workstation or member server accounts) can
> only be deployed from a GPO linked at the domain level and there can be only
> one account policy per domain for *domain user accounts*. That being said,
> you can have a different account policy, linked to an OU that affects
> *local* user accounts on the workstations and member servers in those OUs
> differently, and you could probably achieve your testing goals using local
> accounts instead of domain ones.
>
> In the future, rumor has it that Longhorn server will support multiple
> account policies per domain, but again, I haven't seen that in writing yet.
> :-)
>
> Darren
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
> FAQs, Whitepapers and Utilities for all things Group Policy-related
> Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
> Check it out at http://www.microsoft.com/mspress/books/8763.asp
>
>
> "Alan Byrne" <Alan Byrne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:7CB5AE8C-7667-4F50-8450-C38291097DED@xxxxxxxxxxxxxxxx
> > I've been having this exact problem for weeks now, I've been searching and
> > digging through all sorts of documents, white papers etc but would be abit
> > dissapointed if this is the reason why my lockout threshold policy is
> > applying to users within an OU.
> >
> > I only have one domain on my AD schema, so how can I carryout testing for
> > security policies if I cant implement any security GPs on OUs within that
> > domain? For example, how can I test what will happen when I set the MS
> > password complexity GP to users when some of them dont even have passwords
> > on
> > their accounts, when they login will it force them to use change it?
> >
> > Any extra advice or links on applying GPs from the Security Policies
> > section
> > of a GPO would be very useful, as this is the first time I've read they
> > can
> > only be applied at domain level, I'm also very surprised that MS tools
> > such
> > as RSoP show configured security policies (eg lockout threshold) within a
> > GPO
> > applied only to an OU will apply to specified users even though they wont?
> >
> > Thks, Alan
> > "Ken B" wrote:
> >
> >> You can have only one password / lockout policy per domain. It goes
> >> hand-in-hand with the saying "A chain is only as strong as its weakest
> >> link"... the point of the domain is to make a unified security structure.
> >> Wouldn't make sense to have a weaker policy in effect for part of the
> >> domain
> >> than another part.
> >>
> >> hth,
> >>
> >> Ken
> >>
> >> "RG" <RG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:3C50D3D9-8F75-4E0F-A328-038E7672E263@xxxxxxxxxxxxxxxx
> >> > Hi
> >> >
> >> > I'm trying to aply a GPO to an OU that contains computers, i want to be
> >> > able
> >> > to make any user in those computers have their account lookout after 3
> >> > atempts.
> >> > I created the GPO on the computers OU that i created.
> >> > I aplyed the settings i want.
> >> > The default setting of 0 atempts was removed from the defaut domain
> >> > policy
> >> > The RSoP says that a test user i chose in another OU loging on one of
> >> > the
> >> > computers will have the policy enforced.
> >> > But when i try it for real, it does'nt work.
> >> >
> >> >
> >> > Server Windows Server 2003 SP1
> >> > PC Windows XP Pro SP1
> >> >
> >> >
> >> > What could be the problem???
> >> >
> >> > Thanks in advance
> >> >
> >> > RG
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Strong Passwords
    ... You can always tell which part of a GPO must be enabled by ... I'll setup a new Policy at the domain level. ... > "Roger Abell" wrote: ... >> impact only on the machine local accounts of machines in the OU. ...
    (microsoft.public.security)
  • Re: Exclude from GPO ..
    ... I only put in the user accounts that should not have the ... Users" group is assigned with Read and Apply Group Policy ... ... I then created a new GPO with the settings I ... need to password protect a screen saver to go off at 15 minutes. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Advise to password policy
    ... The policy that governs password aging is applied all or none to all ... Another thing one can do is to use a staged expiration. ... I had a total 200 over user accounts with most of them over the 90 days ... Perhaps using the AD user account "password never expire" field or GPO ...
    (microsoft.public.security)
  • Re: Default Domain Policy Question
    ... > Domain controllers read password policy from the domain ... Account policies when GPO is linked to the DC OU. ... > There can only be one policy per domain for domain accounts. ...
    (microsoft.public.windows.group_policy)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)