Re: 2003 R2 and Group Policies
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 29 Mar 2006 21:46:15 -0700
not laughing, but a few comments
"Dug Yodi" <dugyodi@xxxxxxxxx> wrote in message
news:1143665641.202841.96080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok, nobody laugh at me... here's the deal.defined in a GPO linked to the domain (not necessarily the Default Domain
1. You can only have one Password Account and Account Lockout Policy
per domain which is defined in the Default Domain Policy.
Policy)
2. Block Inheritence has no effect on these policies.Actually it does, but not for domain accounts.
Consider, GPO 1 linked to OU 1, GPO 2 linked to OU 2 which OU is
a subOU within OU 1. Both GPO 1 and GPO 2 set values for Account
Policies. If OU 2 does not block policies, then the merge of Account
Policy settings from Domain, then GPO 1, and finally GPO 2 will apply
to the local SAM of any machines within OU 2. If OU 2 does block
policies, then only Account policies defined in GPO 2 are used in those
machines (unless upper GPOs has "enforced", aka "no override" set).
3. The local polices that were active when the server was promoted to
DC will be active if the Default Domain Policy is set to disabled.
4. When in double run "net accounts" from command prompt and it will
reveal the current policy settings that are active.
Clear as mud?
.
- References:
- 2003 R2 and Group Policies
- From: Dug Yodi
- Re: 2003 R2 and Group Policies
- From: Dug Yodi
- 2003 R2 and Group Policies
- Prev by Date: Re: Internet Kiosk Group Policy
- Next by Date: Re: Internet Kiosk Group Policy
- Previous by thread: Re: 2003 R2 and Group Policies
- Next by thread: Re: Screen saver password protect not working
- Index(es):
Relevant Pages
|
