Re: AD and GPO's

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 09/15/04 

Date: Wed, 15 Sep 2004 09:34:31 +0100

Steve,

Is this on Server 2003 as I am trying to reproduce your anomaly, and I am
just not getting the same results.
The Default Domain Policy is not being over ridden by an OU policy
containing changes to password length where the OU is more restrictive then
the Default Domain Policy. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Steve Bruce, mct" <steve@xmaslake.com> wrote in message
news:ecFPmupmEHA.3756@TK2MSFTNGP09.phx.gbl...
> Mike,
>
> I teach the MOC which agrees with you . .  . BUT in a classroom right here
> , right now, we ran several tests.
>
> The Results:   You can set more restrictive account policies at the OU
> level, and they take effect.
> Less restrictive account policies set at the OU level are overwritten by
> the domain policy.
>
> Specifically:
> DOMAIN Password Length  = 8
> OU Password Length = 10
> RESULT         10 is enforced
>
> DOMAIN Password Length  = 10
> OU Password Length = 8
> RESULT        10 is enforced
>
>
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:egnxJlomEHA.1692@TK2MSFTNGP10.phx.gbl...
>> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
>> news:2qoog6F1194rjU1@uni-berlin.de...
>>> We have differing user requirements in our domain, so I changed the
>>> domain
>>> and default domain policies for password to 'Not configured' and changed
>>> the
>>> relevant OUs that contained my users.
>>>
>>> Please note that simply changing those policies to 'Not Configured' will
>>> NOT
>>> change the previous policy setting.  You have to define them elsewhere
>>> for
>>> your needs to be implemented.
>>
>> That will not work.  The security policy setting for passwords and some
>> of the Kerberos settings are only changeable in the default domain
>> policy. If you change them elsewhere they will have no effect.
>>
>> -- 
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
>> news:2qoog6F1194rjU1@uni-berlin.de...
>>> We have differing user requirements in our domain, so I changed the
>>> domain
>>> and default domain policies for password to 'Not configured' and changed
>>> the
>>> relevant OUs that contained my users.
>>>
>>> Please note that simply changing those policies to 'Not Configured' will
>>> NOT
>>> change the previous policy setting.  You have to define them elsewhere
>>> for
>>> your needs to be implemented.
>>>
>>> BOFH
>>>
>>> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
>>> news:#rL#K#nmEHA.3896@TK2MSFTNGP15.phx.gbl...
>>>> The Group Policy Template is the same regardless of where you link it
>>>> so
>>> the
>>>> option "appears" to be possible at the OU level.
>>>>
>>>> Account Polciies can only be implemented at the domain level however >
>>>> it
>>>> make sense because users can access resources anywhere in the domain,
>>>> so
>>>> their password requirements should be consistent across the domain.
>>>>
>>>>
>>>>
>>>>
>>>> "hendricm2003" <hendricm2003@discussions.microsoft.com> wrote in
>>>> message
>>>> news:1CE18C4C-EF9D-4BDB-91C1-7AE8F0A05E69@microsoft.com...
>>>> > If you can only define a password policy in the default domain
>>>> > settings,
>>>> > why
>>>> > do they give you the option to do it in an OU?  I want to have
>>>> > different
>>>> > password policy settings for each container.  Is that possible?
>>>> >
>>>> > -Matt
>>>>
>>>>
>>>
>>>
>>
>>
>
>