Re: RSoP Lockout Account
- From: "Darren Mar-Elia" <dmanonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 5 Oct 2005 18:12:14 -0700
Alan-
Actually, its quite well documented! There's at least one KB article I know
about and its probably one of the more frequently discussed topics on this
newsgroup and elsewhere.
As far as the RSOP reference, I'm assuming you're running RSOP logging
rather than modeling? Given that, it makes sense as to what you're seeing.
When you run RSOP logging against a workstation, for example, what you will
see is the policy that is being delivered to that workstation. In the case
of account policy, linked to an OU, you are seeing the correct
information--the account policy FOR THAT MACHINE is being reported correctly
by RSOP. That means that any local accounts on that machine will follow that
OU-linked account policy. If you ran RSOP against a Domain Controller, which
are the only boxes that process DOMAIN account policy, you would see the
account policy for domain user accounts.
Of course, all that doesn't make the issue any easier to accept :-).
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp
"Alan Byrne" <AlanByrne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:88CA5C95-05A1-458C-868C-A4B086DE9670@xxxxxxxxxxxxxxxx
> Thanks for that Mar-Elia, but I just find it quite unbelievable that such
> a
> massive drawback in the whole AD schema is hardly written about or
> discuused
> in MS press, documents, guides etc, especially when MS tools like RSoP
> incorrectly report that Account Policies for GPOs applied to OUs will
> apply!
>
> "Darren Mar-Elia" wrote:
>
>> Account Policy, or more specifically any items within Computer
>> Configuration\Windows Settings\Security Settings\Account Policies, for
>> *domain accounts* (i.e. not local workstation or member server accounts)
>> can
>> only be deployed from a GPO linked at the domain level and there can be
>> only
>> one account policy per domain for *domain user accounts*. That being
>> said,
>> you can have a different account policy, linked to an OU that affects
>> *local* user accounts on the workstations and member servers in those OUs
>> differently, and you could probably achieve your testing goals using
>> local
>> accounts instead of domain ones.
>>
>> In the future, rumor has it that Longhorn server will support multiple
>> account policies per domain, but again, I haven't seen that in writing
>> yet.
>> :-)
>>
>> Darren
>>
>> --
>> Darren Mar-Elia
>> MS-MVP-Windows Server--Group Policy
>> Check out http://www.gpoguy.com -- The Windows Group Policy Information
>> Hub:
>> FAQs, Whitepapers and Utilities for all things Group Policy-related
>> Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
>> Check it out at http://www.microsoft.com/mspress/books/8763.asp
>>
>>
>> "Alan Byrne" <Alan Byrne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:7CB5AE8C-7667-4F50-8450-C38291097DED@xxxxxxxxxxxxxxxx
>> > I've been having this exact problem for weeks now, I've been searching
>> > and
>> > digging through all sorts of documents, white papers etc but would be
>> > abit
>> > dissapointed if this is the reason why my lockout threshold policy is
>> > applying to users within an OU.
>> >
>> > I only have one domain on my AD schema, so how can I carryout testing
>> > for
>> > security policies if I cant implement any security GPs on OUs within
>> > that
>> > domain? For example, how can I test what will happen when I set the MS
>> > password complexity GP to users when some of them dont even have
>> > passwords
>> > on
>> > their accounts, when they login will it force them to use change it?
>> >
>> > Any extra advice or links on applying GPs from the Security Policies
>> > section
>> > of a GPO would be very useful, as this is the first time I've read they
>> > can
>> > only be applied at domain level, I'm also very surprised that MS tools
>> > such
>> > as RSoP show configured security policies (eg lockout threshold) within
>> > a
>> > GPO
>> > applied only to an OU will apply to specified users even though they
>> > wont?
>> >
>> > Thks, Alan
>> > "Ken B" wrote:
>> >
>> >> You can have only one password / lockout policy per domain. It goes
>> >> hand-in-hand with the saying "A chain is only as strong as its weakest
>> >> link"... the point of the domain is to make a unified security
>> >> structure.
>> >> Wouldn't make sense to have a weaker policy in effect for part of the
>> >> domain
>> >> than another part.
>> >>
>> >> hth,
>> >>
>> >> Ken
>> >>
>> >> "RG" <RG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:3C50D3D9-8F75-4E0F-A328-038E7672E263@xxxxxxxxxxxxxxxx
>> >> > Hi
>> >> >
>> >> > I'm trying to aply a GPO to an OU that contains computers, i want to
>> >> > be
>> >> > able
>> >> > to make any user in those computers have their account lookout after
>> >> > 3
>> >> > atempts.
>> >> > I created the GPO on the computers OU that i created.
>> >> > I aplyed the settings i want.
>> >> > The default setting of 0 atempts was removed from the defaut domain
>> >> > policy
>> >> > The RSoP says that a test user i chose in another OU loging on one
>> >> > of
>> >> > the
>> >> > computers will have the policy enforced.
>> >> > But when i try it for real, it does'nt work.
>> >> >
>> >> >
>> >> > Server Windows Server 2003 SP1
>> >> > PC Windows XP Pro SP1
>> >> >
>> >> >
>> >> > What could be the problem???
>> >> >
>> >> > Thanks in advance
>> >> >
>> >> > RG
>> >>
>> >>
>> >>
>>
>>
>>
.
- References:
- Re: RSoP Lockout Account
- From: Ken B
- Re: RSoP Lockout Account
- From: Darren Mar-Elia
- Re: RSoP Lockout Account
- From: Alan Byrne
- Re: RSoP Lockout Account
- Prev by Date: Re: RSoP Lockout Account
- Next by Date: Updating Office after published
- Previous by thread: Re: RSoP Lockout Account
- Next by thread: Re: RSoP Lockout Account
- Index(es):
Relevant Pages
|
Loading
