Re: Default Domain Policy Question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Nut Cracker (nutcracker_at_internationalhacker.org)
Date: 01/21/05 

Date: Fri, 21 Jan 2005 15:21:28 -0600

I think we came up with a suitable solution. It is very similar to what you
have outlined, Diane.

We are creating a new subpolicy at that OU level. It has the DoNotOverwrite
(block inheritence) attribute and has the desired pw policy. This is in a
W2K domain, and using the 2K3 admin tools and gpresult, tested the winning
result set and its exactly what we want it to be.

Thanks for the input,

- NuTs

"Diane McCorkle" <diane.mccorkle at atcassociates.com> wrote in message
news:epveTh$$EHA.1084@tk2msftngp13.phx.gbl...
> Our solution to this problem was quite simple,
> We created an OU named Member Servers and Accounts and blocked policy
> inheritance on that OU.
> We then set the appropriate policies in there with a custom policy based
> off the DDP.
>
> am I missing something?
>
> Diane
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23mxHZ$%23$EHA.960@TK2MSFTNGP10.phx.gbl...
>> You need to access the account properties of the service
>> accounts and set the checkbox for Password never expires.
>> There is only one set of Account policies in a domain, but
>> this per account setting exempts the account where set.
>> The setting is accessible by local or remote script by
>> getting a handle to the user account object. Setting this
>> type of thing is not what GPO is good at (I have not seen
>> a policy for this that could be used to set it on all accounts
>> in some svcacct subOU; and, it is a one-time setting so
>> use of GPO for reapplication is really overkill).
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
>> news:OdJumX%23$EHA.3820@TK2MSFTNGP11.phx.gbl...
>>> Hello All,
>>>
>>> I have a situation where the Default Domain Policy (DDP) is configured
>>> for
>>> passwords to expire in 90 days. I have an OU full of service accounts
>>> that
>> I
>>> dont want to be subject to that policy.
>>>
>>> How do I go about creating an exlusion from the DDP for this OU ? I am
>> told
>>> that I can oly set the password policy at the DDP level, so Im kinda in
>>> a
>>> lurch here.
>>>
>>> Thank you for any light you can shed on this.
>>>
>>> - NuTs
>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO causing client security logs to fill?
    ... Unlink the Default Domain Controller Policy (As it was not previously ... settings to be applied on your client workstations. ... I modified the account ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO causing client security logs to fill?
    ... Possibly delete the Default Domoan Controller Policy (As it did not ... issues as it was about recoverying from a virus which appears to ... with client logon failures. ... I modified the account ...
    (microsoft.public.windows.server.sbs)
  • Re: Password expires for no apparent reason
    ... policy that has set the values to what you see below meaning that users ... So I would define the password age and configure a value in there. ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ...
    (microsoft.public.windows.server.active_directory)