Re: Default Domain Policy Question

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Diane McCorkle (diane.mccorkle)
Date: 01/21/05

  • Next message: Nut Cracker: "Re: Default Domain Policy Question" 
    Date: Fri, 21 Jan 2005 15:32:26 -0500

    Our solution to this problem was quite simple,
    We created an OU named Member Servers and Accounts and blocked policy
    inheritance on that OU.
    We then set the appropriate policies in there with a custom policy based off
    the DDP.

    am I missing something?

    Diane

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:%23mxHZ$%23$EHA.960@TK2MSFTNGP10.phx.gbl...
    > You need to access the account properties of the service
    > accounts and set the checkbox for Password never expires.
    > There is only one set of Account policies in a domain, but
    > this per account setting exempts the account where set.
    > The setting is accessible by local or remote script by
    > getting a handle to the user account object. Setting this
    > type of thing is not what GPO is good at (I have not seen
    > a policy for this that could be used to set it on all accounts
    > in some svcacct subOU; and, it is a one-time setting so
    > use of GPO for reapplication is really overkill).
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
    > news:OdJumX%23$EHA.3820@TK2MSFTNGP11.phx.gbl...
    >> Hello All,
    >>
    >> I have a situation where the Default Domain Policy (DDP) is configured
    >> for
    >> passwords to expire in 90 days. I have an OU full of service accounts
    >> that
    > I
    >> dont want to be subject to that policy.
    >>
    >> How do I go about creating an exlusion from the DDP for this OU ? I am
    > told
    >> that I can oly set the password policy at the DDP level, so Im kinda in a
    >> lurch here.
    >>
    >> Thank you for any light you can shed on this.
    >>
    >> - NuTs
    >>
    >>
    >>
    >
    >

  • Next message: Nut Cracker: "Re: Default Domain Policy Question"

    Relevant Pages

    • Re: GPO causing client security logs to fill?
      ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
      (microsoft.public.windows.server.sbs)
    • Re: Passowrd complexity LOCAL Account
      ... Place this computer account into an OU. ... Then, link a new GPO to the OU, ... configuring the GPO's Account Policy like you want the local SAM to behave. ... > local user accounts with passwords that do not follow the ...
      (microsoft.public.win2000.group_policy)
    • Re: starting over with GPO
      ... Your description does not take into account the concept of Group Policy ... you would only need to link the Domain GPO to the domain and Users ... See the following link for a description of Group Policy Inheritance: ...
      (microsoft.public.windows.group_policy)
    • Re: Domain Admin account and lockout Policy
      ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
      (microsoft.public.windows.group_policy)
    • Re: Domain Admin account and lockout Policy
      ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
      (microsoft.public.windows.group_policy)