Re: RSoP Lockout Account
- From: "Bruce Sanderson" <bsanders@xxxxxxxxx>
- Date: Mon, 10 Oct 2005 21:40:43 -0700
Well, what you see as a "massive drawback" I see as a huge benefit. The
major part of the Domain concept is a unified and enforced security regime.
One of the most vulnerable (technical) part of security is passwords, so
having the same password policy enforced for all User accounts in the domain
is an important feature.
Testing and experimenting in a "Production" environment is not usually a
good thing to do anyway.
The password policy is enforced by the computer (i.e. a domain controller
for domain accounts) that "owns" the user account at the time a password is
changed, not when the user account is authenticated by that computer. So
changing the password policy in an OU that does not apply to domain
controllers won't have any affect on domain user accounts. Existing
passwords are not affected when the password policy is modified (e.g.
complexity requirement turned on).
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Alan Byrne" <AlanByrne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:88CA5C95-05A1-458C-868C-A4B086DE9670@xxxxxxxxxxxxxxxx
> Thanks for that Mar-Elia, but I just find it quite unbelievable that such
> a
> massive drawback in the whole AD schema is hardly written about or
> discuused
> in MS press, documents, guides etc, especially when MS tools like RSoP
> incorrectly report that Account Policies for GPOs applied to OUs will
> apply!
>
> "Darren Mar-Elia" wrote:
>
>> Account Policy, or more specifically any items within Computer
>> Configuration\Windows Settings\Security Settings\Account Policies, for
>> *domain accounts* (i.e. not local workstation or member server accounts)
>> can
>> only be deployed from a GPO linked at the domain level and there can be
>> only
>> one account policy per domain for *domain user accounts*. That being
>> said,
>> you can have a different account policy, linked to an OU that affects
>> *local* user accounts on the workstations and member servers in those OUs
>> differently, and you could probably achieve your testing goals using
>> local
>> accounts instead of domain ones.
>>
>> In the future, rumor has it that Longhorn server will support multiple
>> account policies per domain, but again, I haven't seen that in writing
>> yet.
>> :-)
>>
>> Darren
>>
>> --
>> Darren Mar-Elia
>> MS-MVP-Windows Server--Group Policy
>> Check out http://www.gpoguy.com -- The Windows Group Policy Information
>> Hub:
>> FAQs, Whitepapers and Utilities for all things Group Policy-related
>> Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
>> Check it out at http://www.microsoft.com/mspress/books/8763.asp
>>
>>
>> "Alan Byrne" <Alan Byrne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:7CB5AE8C-7667-4F50-8450-C38291097DED@xxxxxxxxxxxxxxxx
>> > I've been having this exact problem for weeks now, I've been searching
>> > and
>> > digging through all sorts of documents, white papers etc but would be
>> > abit
>> > dissapointed if this is the reason why my lockout threshold policy is
>> > applying to users within an OU.
>> >
>> > I only have one domain on my AD schema, so how can I carryout testing
>> > for
>> > security policies if I cant implement any security GPs on OUs within
>> > that
>> > domain? For example, how can I test what will happen when I set the MS
>> > password complexity GP to users when some of them dont even have
>> > passwords
>> > on
>> > their accounts, when they login will it force them to use change it?
>> >
>> > Any extra advice or links on applying GPs from the Security Policies
>> > section
>> > of a GPO would be very useful, as this is the first time I've read they
>> > can
>> > only be applied at domain level, I'm also very surprised that MS tools
>> > such
>> > as RSoP show configured security policies (eg lockout threshold) within
>> > a
>> > GPO
>> > applied only to an OU will apply to specified users even though they
>> > wont?
>> >
>> > Thks, Alan
>> > "Ken B" wrote:
>> >
>> >> You can have only one password / lockout policy per domain. It goes
>> >> hand-in-hand with the saying "A chain is only as strong as its weakest
>> >> link"... the point of the domain is to make a unified security
>> >> structure.
>> >> Wouldn't make sense to have a weaker policy in effect for part of the
>> >> domain
>> >> than another part.
>> >>
>> >> hth,
>> >>
>> >> Ken
>> >>
>> >> "RG" <RG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:3C50D3D9-8F75-4E0F-A328-038E7672E263@xxxxxxxxxxxxxxxx
>> >> > Hi
>> >> >
>> >> > I'm trying to aply a GPO to an OU that contains computers, i want to
>> >> > be
>> >> > able
>> >> > to make any user in those computers have their account lookout after
>> >> > 3
>> >> > atempts.
>> >> > I created the GPO on the computers OU that i created.
>> >> > I aplyed the settings i want.
>> >> > The default setting of 0 atempts was removed from the defaut domain
>> >> > policy
>> >> > The RSoP says that a test user i chose in another OU loging on one
>> >> > of
>> >> > the
>> >> > computers will have the policy enforced.
>> >> > But when i try it for real, it does'nt work.
>> >> >
>> >> >
>> >> > Server Windows Server 2003 SP1
>> >> > PC Windows XP Pro SP1
>> >> >
>> >> >
>> >> > What could be the problem???
>> >> >
>> >> > Thanks in advance
>> >> >
>> >> > RG
>> >>
>> >>
>> >>
>>
>>
>>
.
- References:
- Re: RSoP Lockout Account
- From: Ken B
- Re: RSoP Lockout Account
- From: Darren Mar-Elia
- Re: RSoP Lockout Account
- From: Alan Byrne
- Re: RSoP Lockout Account
- Prev by Date: Re: GPO not being applied
- Next by Date: Re: Remote Desktop and Domain GPO
- Previous by thread: Re: RSoP Lockout Account
- Next by thread: Re: Windows Firewall
- Index(es):
Relevant Pages
|
