Re: OU group policy and how to use ldapsearch to find GPO settings

First question:
There is only one set of Account policies that are applied to all accounts
of the domain. Setting Account policies at an OU level effects those
policy settings for the machine local account of computers in those OUs.

Second question:
Not sure I understand what you are after, or what you mean by
the new group policy. Your ldap search (a little reckless with the
wildcard) is showing your attributes of the domain object you named.
GPOs are stored partly in AD and partly in the filesystem (SYSVOL).

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"emily1997" <emily1997@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E9C5349C-8DC5-4CA9-92CD-0E3E4C812869@xxxxxxxxxxxxxxxx
Hi, I am from the UNIX world. I have an environment that my HP-UX unix
machine is configured with a Windows 2003 server(single domain). Users in
ADS can logon to my unix box via pam_kerberos.

If I configure the account lockout policy in the default domain policy,
say:
Account lockout duration: 30 min
Account lockout threshold: 5 invalid logon attempts
Reset accout lockout counter after: 30 min

Then an ADS user try to logon to the unix box with an invalid password for
5
times, this user's account will be locked out for 30 minutes. I verified
that this works as expected.

Now, I crated an ou=test_ou, and added a new group policy linked to this
OU,
and I set the accout lockout policy in this new GPO as following:
Account lockout duration: 3 min
Account lockout threshold: 2 invalid logon attempts
Reset accout lockout counter after: 3 min

then I sould expect that a user under ou=test_ou should be locked out if
this user entered bad passwd twice in a row at logon time. But it didn't
work this way. This new group policy some how didn't get applied to this
user. So does anyone know why it didn't work?

The second question I have is: I can use ldapsearch command to find out
the
settings for the default domain policy. For example, I can do the
following:

./ldapsearch -s base -h HOST -p PORT -D administrator@xxxxxxxx -w
PASSWD -b
"DC=test, DC=com" "objectclass=*"|grep -i lockout
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5

How can I use ldapsearch command to find out the settings for the new
group
policy?

Thanks in advance for your help.




.

Relevant Pages

  • Re: GPO Settings not applying
    ... Of course is it okay to "Move" the computer's Active Directory account into that newly created OU to which you linked your policy - otherwise the computer wouldn't pick up the policy settings again. ... account lockout policy to lockout 3 failed login attempts. ...
    (microsoft.public.windows.group_policy)
  • Local security settings in W2k adv server causes problems
    ... I am experiencing a pretty weird problem with some local policy settings on ... I used this to rename the administrator account on that server, ...
    (Focus-Microsoft)
  • Re: Kerberos User Ticket Lifetime
    ... Wong - as Joe has been saying, Account Policies receive special ... Account policy is a single instance thing on ... >>> different groups do inherit the correct GP settings, ... >>>>>with the Maximum User Ticket Lifetime parm? ...
    (microsoft.public.security)
  • Re: Local Account & Password Policy Options Greyed out for Admins?
    ... it seems to have set the security settings back to what they should be. ... Still, the settings for the password and account lockout policies are greyed out, so they still cannot be changed. ... Reboot the computer and you should be able to change password policy in Local Security Policy. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot edit "Log on as a service" and "Allow log on locally" policies on W2K3 server.
    ... I am installing a new version of a program on my W2K3 SP1 server and one of the requirements is to create a "local" user account and grant this account ... However when I go into the Local Security Policy editor/Security settings/Local Policies/User Rights Assignment, I do not get the option to add or edit. ... These two policies both have different icons showing so I'm not sure what that indicates but am sure it has to do with why I cannot make any changes there. ... drill down to those settings and it'll tell you which policy is applying to those settings. ...
    (microsoft.public.windows.server.general)