Re: Default Domain Policy Question

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/22/05

Next message: Roger Abell: "Re: XP multiple install earth to bruce hello?"
Previous message: Roger Abell: "Re: Default Domain Policy Question"
In reply to: Steven L Umbach: "Re: Default Domain Policy Question"
Next in thread: Steven L Umbach: "Re: Default Domain Policy Question"
Reply: Steven L Umbach: "Re: Default Domain Policy Question"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 22 Jan 2005 11:08:28 -0700

I do not think this statement is quite accurate Steve
> Domain controllers read password policy from the domain
> container only in the GPO with the highest priority that has
> it defined.
It seems to me that the DCs recognize, at least some of, the
Account policies when GPO is linked to the DC OU.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23rIrqvCAFHA.2012@TK2MSFTNGP15.phx.gbl...
> There can only be one policy per domain for domain accounts. Any other
> attempts to subvert it will fail for domain user accounts but would apply
to
> local user accounts for computers within the scope of influence of the
> policy as per gpresult. Domain controllers read password policy from the
> domain container only in the GPO with the highest priority that has it
> defined. The link below explains more. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
>
>
> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
> news:%23F4Gt8$$EHA.2704@TK2MSFTNGP10.phx.gbl...
> >I think we came up with a suitable solution. It is very similar to what
you
> >have outlined, Diane.
> >
> > We are creating a new subpolicy at that OU level. It has the
> > DoNotOverwrite (block inheritence) attribute and has the desired pw
> > policy. This is in a W2K domain, and using the 2K3 admin tools and
> > gpresult, tested the winning result set and its exactly what we want it
to
> > be.
> >
> > Thanks for the input,
> >
> > - NuTs
> >
> > "Diane McCorkle" <diane.mccorkle at atcassociates.com> wrote in message
> > news:epveTh$$EHA.1084@tk2msftngp13.phx.gbl...
> >> Our solution to this problem was quite simple,
> >> We created an OU named Member Servers and Accounts and blocked policy
> >> inheritance on that OU.
> >> We then set the appropriate policies in there with a custom policy
based
> >> off the DDP.
> >>
> >> am I missing something?
> >>
> >> Diane
> >>
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:%23mxHZ$%23$EHA.960@TK2MSFTNGP10.phx.gbl...
> >>> You need to access the account properties of the service
> >>> accounts and set the checkbox for Password never expires.
> >>> There is only one set of Account policies in a domain, but
> >>> this per account setting exempts the account where set.
> >>> The setting is accessible by local or remote script by
> >>> getting a handle to the user account object.  Setting this
> >>> type of thing is not what GPO is good at (I have not seen
> >>> a policy for this that could be used to set it on all accounts
> >>> in some svcacct subOU; and, it is a one-time setting so
> >>> use of GPO for reapplication is really overkill).
> >>>
> >>> -- 
> >>> Roger Abell
> >>> Microsoft MVP (Windows  Security)
> >>> MCSE (W2k3,W2k,Nt4)  MCDBA
> >>> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
> >>> news:OdJumX%23$EHA.3820@TK2MSFTNGP11.phx.gbl...
> >>>> Hello All,
> >>>>
> >>>> I have a situation where the Default Domain Policy (DDP) is
configured
> >>>> for
> >>>> passwords to expire in 90 days. I have an OU full of service accounts
> >>>> that
> >>> I
> >>>> dont want to be subject to that policy.
> >>>>
> >>>> How do I go about creating an exlusion from the DDP for this OU ? I
am
> >>> told
> >>>> that I can oly set the password policy at the DDP level, so Im kinda
in
> >>>> a
> >>>> lurch here.
> >>>>
> >>>> Thank you for any light you can shed on this.
> >>>>
> >>>> - NuTs
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>

Next message: Roger Abell: "Re: XP multiple install earth to bruce hello?"
Previous message: Roger Abell: "Re: Default Domain Policy Question"
In reply to: Steven L Umbach: "Re: Default Domain Policy Question"
Next in thread: Steven L Umbach: "Re: Default Domain Policy Question"
Reply: Steven L Umbach: "Re: Default Domain Policy Question"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: Group Policy: multiple password policies in the same domain?
... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
(Focus-Microsoft)
Re: Using GPO to implement Password Policy
... I created a new Group Policy Object, Company Password Policy, ... this GPO to a test OU, ... note that the user account settings itself are set to "Password never ... All of my domain accounts are set with these settings for their ...
(microsoft.public.windows.server.active_directory)
Re: Domain password policy problems
... password policies within a single domain. ... Password Policy done right ... If a GPO linked at the domain level applies to all accounts and Gpos ...
(microsoft.public.windows.group_policy)
Re: Strong Passwords
... You can always tell which part of a GPO must be enabled by ... I'll setup a new Policy at the domain level. ... > "Roger Abell" wrote: ... >> impact only on the machine local accounts of machines in the OU. ...
(microsoft.public.security)
Re: Exclude from GPO ..
... I only put in the user accounts that should not have the ... Users" group is assigned with Read and Apply Group Policy ... ... I then created a new GPO with the settings I ... need to password protect a screen saver to go off at 15 minutes. ...
(microsoft.public.windows.server.active_directory)