Re: OU group policy and how to use ldapsearch to find GPO settings
- From: emily1997 <emily1997@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 12:07:27 -0800
Roger, thanks for helping me.
For the first question, I am not sure you answered my question. Or mabye I
misunderstood. The user I tested with to logon to my unix box is under
ou=test_ou, but I didn't see that the GPO at this OU level been effective for
this user.
For my second question, what I am really interested in are the values for
the three attributes/settings for a particular group policy:
lockoutDuration
lockOutObservationWindow
lockoutThreshold
I need to find a way to use ldapsearch to find these settins for a
particular GPO. To find the default domain policy settings, I can just
search for the root DN. But for the GPO at ou=test_ou level, I cannot find
where these three attributes are, or in what object.
Thanks again for your help.
"Roger Abell [MVP]" wrote:
First question:.
There is only one set of Account policies that are applied to all accounts
of the domain. Setting Account policies at an OU level effects those
policy settings for the machine local account of computers in those OUs.
Second question:
Not sure I understand what you are after, or what you mean by
the new group policy. Your ldap search (a little reckless with the
wildcard) is showing your attributes of the domain object you named.
GPOs are stored partly in AD and partly in the filesystem (SYSVOL).
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"emily1997" <emily1997@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E9C5349C-8DC5-4CA9-92CD-0E3E4C812869@xxxxxxxxxxxxxxxx
Hi, I am from the UNIX world. I have an environment that my HP-UX unix
machine is configured with a Windows 2003 server(single domain). Users in
ADS can logon to my unix box via pam_kerberos.
If I configure the account lockout policy in the default domain policy,
say:
Account lockout duration: 30 min
Account lockout threshold: 5 invalid logon attempts
Reset accout lockout counter after: 30 min
Then an ADS user try to logon to the unix box with an invalid password for
5
times, this user's account will be locked out for 30 minutes. I verified
that this works as expected.
Now, I crated an ou=test_ou, and added a new group policy linked to this
OU,
and I set the accout lockout policy in this new GPO as following:
Account lockout duration: 3 min
Account lockout threshold: 2 invalid logon attempts
Reset accout lockout counter after: 3 min
then I sould expect that a user under ou=test_ou should be locked out if
this user entered bad passwd twice in a row at logon time. But it didn't
work this way. This new group policy some how didn't get applied to this
user. So does anyone know why it didn't work?
The second question I have is: I can use ldapsearch command to find out
the
settings for the default domain policy. For example, I can do the
following:
./ldapsearch -s base -h HOST -p PORT -D administrator@xxxxxxxx -w
PASSWD -b
"DC=test, DC=com" "objectclass=*"|grep -i lockout
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 5
How can I use ldapsearch command to find out the settings for the new
group
policy?
Thanks in advance for your help.
- Follow-Ups:
- Re: OU group policy and how to use ldapsearch to find GPO settings
- From: Roger Abell [MVP]
- Re: OU group policy and how to use ldapsearch to find GPO settings
- References:
- Re: OU group policy and how to use ldapsearch to find GPO settings
- From: Roger Abell [MVP]
- Re: OU group policy and how to use ldapsearch to find GPO settings
- Prev by Date: Re: Local Administrator Rights Workaround?
- Next by Date: Re: Workstations do not have Group Policy IE settings
- Previous by thread: Re: OU group policy and how to use ldapsearch to find GPO settings
- Next by thread: Re: OU group policy and how to use ldapsearch to find GPO settings
- Index(es):
Relevant Pages
|
