Re: Default Domain Policy Question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/24/05
- Next message: Scotto: "Re: file redirection"
- Previous message: Roger Abell: "Re: Default Domain Policy Question"
- In reply to: Roger Abell: "Re: Default Domain Policy Question"
- Next in thread: Roger Abell: "Re: Default Domain Policy Question"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 23 Jan 2005 18:06:05 -0600
Hi Roger.
Sounds good. Let me know if you find out anything. I am always curious,
especially about undocumented "features". --- Steve [snowbound in
Chicagoland]
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:u7%23aaYaAFHA.2012@TK2MSFTNGP15.phx.gbl...
> Hey Steve,
>
> What I need to do is to recheck this, as I accidently discovered
> the behavior some time back in W2k. It, as being contrary to the
> documented behavior, may have been so only for a time and later
> removed by SP level.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eA5pxWXAFHA.1452@TK2MSFTNGP11.phx.gbl...
>> Hmm. I have never seen password policy applied to the domain controllers
>> [W2K or W2003] container apply to domain users unless it was defined the
>> same as the prevailing domain policy [no override not enforced on the
>> defined domain GPO either]. Anytime I have tried to configure a different
>> password policy to the domain controllers container than the domain and
> ran
>> net accounts on a domain controller it showed the domain policy as being
>> applied and was demonstrated as prevailing policy to domain user accounts
>> such as when trying to create a new domain user and being able to give it
> a
>> password without meeting complexity or minimum length requirements
>> defined
>> at the domain controller container level but meeting the requirements of
> the
>> domain policy. MS documentation that I have read said that domain
>> controllers "pull" password policy from the domain level for consistent
>> application of password policy to domain users to avert the possibility
>> of
> a
>> domain controller not being in the default domain controllers container.
> I
>> may have missed something in the fine print however.--- Steve
>>
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:ux483YWAFHA.2192@TK2MSFTNGP14.phx.gbl...
>> > Applied anywhere seems to affect the accounts (SAM if one) of that
>> > location.
>> > At the Domain and at the Domain Controllers OU this is the domain
>> > accounts.
>> > At an OU other than Domain Controllers it is the machine local SAM.
>> >
>> > --
>> > Roger
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> > news:%23nDg7fOAFHA.1260@TK2MSFTNGP12.phx.gbl...
>> >> I may be wrong but from what I can tell that seems to be pretty much
> the
>> > way
>> >> it works for applying password policy to domain user accounts. Which
>> >> password policy does it apply to domain users when applied at the OU
>> >> evel?? --- Steve
>> >>
>> >>
>> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> news:Oizq6zKAFHA.960@TK2MSFTNGP10.phx.gbl...
>> >> >I do not think this statement is quite accurate Steve
>> >> >> Domain controllers read password policy from the domain
>> >> >> container only in the GPO with the highest priority that has
>> >> >> it defined.
>> >> > It seems to me that the DCs recognize, at least some of, the
>> >> > Account policies when GPO is linked to the DC OU.
>> >> >
>> >> > --
>> >> > Roger Abell
>> >> > Microsoft MVP (Windows Security)
>> >> > MCSE (W2k3,W2k,Nt4) MCDBA
>> >> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> >> > news:%23rIrqvCAFHA.2012@TK2MSFTNGP15.phx.gbl...
>> >> >> There can only be one policy per domain for domain accounts. Any
> other
>> >> >> attempts to subvert it will fail for domain user accounts but would
>> > apply
>> >> > to
>> >> >> local user accounts for computers within the scope of influence of
> the
>> >> >> policy as per gpresult. Domain controllers read password policy
>> >> >> from
>> > the
>> >> >> domain container only in the GPO with the highest priority that has
> it
>> >> >> defined. The link below explains more. --- Steve
>> >> >>
>> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;255550
>> >> >>
>> >> >>
>> >> >> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in message
>> >> >> news:%23F4Gt8$$EHA.2704@TK2MSFTNGP10.phx.gbl...
>> >> >> >I think we came up with a suitable solution. It is very similar to
>> > what
>> >> > you
>> >> >> >have outlined, Diane.
>> >> >> >
>> >> >> > We are creating a new subpolicy at that OU level. It has the
>> >> >> > DoNotOverwrite (block inheritence) attribute and has the desired
> pw
>> >> >> > policy. This is in a W2K domain, and using the 2K3 admin tools
>> >> >> > and
>> >> >> > gpresult, tested the winning result set and its exactly what we
> want
>> > it
>> >> > to
>> >> >> > be.
>> >> >> >
>> >> >> > Thanks for the input,
>> >> >> >
>> >> >> > - NuTs
>> >> >> >
>> >> >> > "Diane McCorkle" <diane.mccorkle at atcassociates.com> wrote in
>> > message
>> >> >> > news:epveTh$$EHA.1084@tk2msftngp13.phx.gbl...
>> >> >> >> Our solution to this problem was quite simple,
>> >> >> >> We created an OU named Member Servers and Accounts and blocked
>> > policy
>> >> >> >> inheritance on that OU.
>> >> >> >> We then set the appropriate policies in there with a custom
> policy
>> >> > based
>> >> >> >> off the DDP.
>> >> >> >>
>> >> >> >> am I missing something?
>> >> >> >>
>> >> >> >> Diane
>> >> >> >>
>> >> >> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> >> >> news:%23mxHZ$%23$EHA.960@TK2MSFTNGP10.phx.gbl...
>> >> >> >>> You need to access the account properties of the service
>> >> >> >>> accounts and set the checkbox for Password never expires.
>> >> >> >>> There is only one set of Account policies in a domain, but
>> >> >> >>> this per account setting exempts the account where set.
>> >> >> >>> The setting is accessible by local or remote script by
>> >> >> >>> getting a handle to the user account object. Setting this
>> >> >> >>> type of thing is not what GPO is good at (I have not seen
>> >> >> >>> a policy for this that could be used to set it on all accounts
>> >> >> >>> in some svcacct subOU; and, it is a one-time setting so
>> >> >> >>> use of GPO for reapplication is really overkill).
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>> Roger Abell
>> >> >> >>> Microsoft MVP (Windows Security)
>> >> >> >>> MCSE (W2k3,W2k,Nt4) MCDBA
>> >> >> >>> "Nut Cracker" <nutcracker@internationalhacker.org> wrote in
>> >> >> >>> message
>> >> >> >>> news:OdJumX%23$EHA.3820@TK2MSFTNGP11.phx.gbl...
>> >> >> >>>> Hello All,
>> >> >> >>>>
>> >> >> >>>> I have a situation where the Default Domain Policy (DDP) is
>> >> > configured
>> >> >> >>>> for
>> >> >> >>>> passwords to expire in 90 days. I have an OU full of service
>> >> >> >>>> accounts
>> >> >> >>>> that
>> >> >> >>> I
>> >> >> >>>> dont want to be subject to that policy.
>> >> >> >>>>
>> >> >> >>>> How do I go about creating an exlusion from the DDP for this
>> >> >> >>>> OU
> ?
>> > I
>> >> > am
>> >> >> >>> told
>> >> >> >>>> that I can oly set the password policy at the DDP level, so Im
>> > kinda
>> >> > in
>> >> >> >>>> a
>> >> >> >>>> lurch here.
>> >> >> >>>>
>> >> >> >>>> Thank you for any light you can shed on this.
>> >> >> >>>>
>> >> >> >>>> - NuTs
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Scotto: "Re: file redirection"
- Previous message: Roger Abell: "Re: Default Domain Policy Question"
- In reply to: Roger Abell: "Re: Default Domain Policy Question"
- Next in thread: Roger Abell: "Re: Default Domain Policy Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
