Re: Default Domain Policy Question

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/23/05 

Date: Sat, 22 Jan 2005 19:09:03 -0600

I may be wrong but from what I can tell that seems to be pretty much the way
it works for applying password policy to domain user accounts. Which
password policy does it apply to domain users when applied at the OU
evel?? --- Steve

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Oizq6zKAFHA.960@TK2MSFTNGP10.phx.gbl...
>I do not think this statement is quite accurate Steve
>> Domain controllers read password policy from the domain
>> container only in the GPO with the highest priority that has
>> it defined.
> It seems to me that the DCs recognize, at least some of, the
> Account policies when GPO is linked to the DC OU.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23rIrqvCAFHA.2012@TK2MSFTNGP15.phx.gbl...
>> There can only be one policy per domain for domain accounts. Any other
>> attempts to subvert it will fail for domain user accounts but would apply
> to
>> local user accounts for computers within the scope of influence of the
>> policy as per gpresult. Domain controllers read password policy from the
>> domain container only in the GPO with the highest priority that has it
>> defined. The link below explains more. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
>>
>>
>> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
>> news:%23F4Gt8$$EHA.2704@TK2MSFTNGP10.phx.gbl...
>> >I think we came up with a suitable solution. It is very similar to what
> you
>> >have outlined, Diane.
>> >
>> > We are creating a new subpolicy at that OU level. It has the
>> > DoNotOverwrite (block inheritence) attribute and has the desired pw
>> > policy. This is in a W2K domain, and using the 2K3 admin tools and
>> > gpresult, tested the winning result set and its exactly what we want it
> to
>> > be.
>> >
>> > Thanks for the input,
>> >
>> > - NuTs
>> >
>> > "Diane McCorkle" <diane.mccorkle at atcassociates.com> wrote in message
>> > news:epveTh$$EHA.1084@tk2msftngp13.phx.gbl...
>> >> Our solution to this problem was quite simple,
>> >> We created an OU named Member Servers and Accounts and blocked policy
>> >> inheritance on that OU.
>> >> We then set the appropriate policies in there with a custom policy
> based
>> >> off the DDP.
>> >>
>> >> am I missing something?
>> >>
>> >> Diane
>> >>
>> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> news:%23mxHZ$%23$EHA.960@TK2MSFTNGP10.phx.gbl...
>> >>> You need to access the account properties of the service
>> >>> accounts and set the checkbox for Password never expires.
>> >>> There is only one set of Account policies in a domain, but
>> >>> this per account setting exempts the account where set.
>> >>> The setting is accessible by local or remote script by
>> >>> getting a handle to the user account object. Setting this
>> >>> type of thing is not what GPO is good at (I have not seen
>> >>> a policy for this that could be used to set it on all accounts
>> >>> in some svcacct subOU; and, it is a one-time setting so
>> >>> use of GPO for reapplication is really overkill).
>> >>>
>> >>> --
>> >>> Roger Abell
>> >>> Microsoft MVP (Windows Security)
>> >>> MCSE (W2k3,W2k,Nt4) MCDBA
>> >>> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
>> >>> news:OdJumX%23$EHA.3820@TK2MSFTNGP11.phx.gbl...
>> >>>> Hello All,
>> >>>>
>> >>>> I have a situation where the Default Domain Policy (DDP) is
> configured
>> >>>> for
>> >>>> passwords to expire in 90 days. I have an OU full of service
>> >>>> accounts
>> >>>> that
>> >>> I
>> >>>> dont want to be subject to that policy.
>> >>>>
>> >>>> How do I go about creating an exlusion from the DDP for this OU ? I
> am
>> >>> told
>> >>>> that I can oly set the password policy at the DDP level, so Im kinda
> in
>> >>>> a
>> >>>> lurch here.
>> >>>>
>> >>>> Thank you for any light you can shed on this.
>> >>>>
>> >>>> - NuTs
>> >>>>
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: Default Domain Policy Question
    ... I have never seen password policy applied to the domain controllers ... > applied and was demonstrated as prevailing policy to domain user accounts ...
    (microsoft.public.windows.group_policy)
  • Re: Set one Domain twp password length
    ... Use a third party app such as Anixis ppe ... password policy for those users that need the special policy. ... I need to set Domain, A Domain user use 7 password length,but ...
    (microsoft.public.windows.server.active_directory)
  • Re: Max Password Age - confused!
    ... Password policy is something that only can affect the domain root. ... this is a computer configuration setting. ... password every XX days configured for a domain user - it is NOT being ...
    (microsoft.public.windows.group_policy)
  • Re: How to set it so Administrator account can override Group Policy Settings?
    ... For ALL domain user accounts there can only be one password policy and it is defined ... Think of it as a having a built in no override. ... though it can be configured via ant GPO in the domain container and the GPO at the ...
    (microsoft.public.win2000.security)
  • Re: Max Password Age - confused!
    ... So what happens is that when you create your password policy it's your domain controllers that gets this information and writes it to the domain root so that the clients read it's as values in the domain and not as a group policy. ... password age setting under Computer Configuration/Windows Settings/ ... password every XX days configured for a domain user - it is NOT being ...
    (microsoft.public.windows.group_policy)
Loading