Re: Default Domain Policy Question
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/22/05
- Next message: Roger Abell: "Re: Default Domain Policy Question"
- Previous message: Tom M: "Re: VPN issues"
- In reply to: Diane McCorkle: "Re: Default Domain Policy Question"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 22 Jan 2005 11:06:04 -0700
Many accounts for services, as in clustered environment, or for
web backside to access middleware and/or Sql need to be domain
accounts, not machine local accounts.
If only the machine local accounts are the issue, a perhaps more
clean way to structure what you have effected is to set the domain
level Account policies in a GPO linked to the Domain Controllers
OU instead of to the Domain. The Account policies then will not
also automatically apply to machine local accounts. Whether this
works in an environment of course depends on whether machine
local accounts are allowed (beyond those defined by the corp
administration for specific purposes, i.e. no user machine locals).
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Diane McCorkle" <diane.mccorkle at atcassociates.com> wrote in message news:epveTh$$EHA.1084@tk2msftngp13.phx.gbl... > Our solution to this problem was quite simple, > We created an OU named Member Servers and Accounts and blocked policy > inheritance on that OU. > We then set the appropriate policies in there with a custom policy based off > the DDP. > > am I missing something? > > Diane > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:%23mxHZ$%23$EHA.960@TK2MSFTNGP10.phx.gbl... > > You need to access the account properties of the service > > accounts and set the checkbox for Password never expires. > > There is only one set of Account policies in a domain, but > > this per account setting exempts the account where set. > > The setting is accessible by local or remote script by > > getting a handle to the user account object. Setting this > > type of thing is not what GPO is good at (I have not seen > > a policy for this that could be used to set it on all accounts > > in some svcacct subOU; and, it is a one-time setting so > > use of GPO for reapplication is really overkill). > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message > > news:OdJumX%23$EHA.3820@TK2MSFTNGP11.phx.gbl... > >> Hello All, > >> > >> I have a situation where the Default Domain Policy (DDP) is configured > >> for > >> passwords to expire in 90 days. I have an OU full of service accounts > >> that > > I > >> dont want to be subject to that policy. > >> > >> How do I go about creating an exlusion from the DDP for this OU ? I am > > told > >> that I can oly set the password policy at the DDP level, so Im kinda in a > >> lurch here. > >> > >> Thank you for any light you can shed on this. > >> > >> - NuTs > >> > >> > >> > > > > > >
- Next message: Roger Abell: "Re: Default Domain Policy Question"
- Previous message: Tom M: "Re: VPN issues"
- In reply to: Diane McCorkle: "Re: Default Domain Policy Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
