Re: AD and GPO's

From: BOFH (john.hamilton70_at_ntlworld.com)
Date: 09/15/04 

Date: Wed, 15 Sep 2004 16:42:22 +0100

Yeah, Windows Server 2003...here are my settings on the Domain Policy...>

Enforce password history Not Defined
Maximum password age Not Defined
Minimum password age Not Defined
Minimum password length Not Defined
Password must meet complexity requirements Not Defined
Store passwords using reversible encryption Not Defined

And my 2 OU's for users have differing settings, one for staff and one for
Students.

BOFH

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:uznWU7vmEHA.2020@TK2MSFTNGP09.phx.gbl...
> Steve,
>
> Is this on Server 2003 as I am trying to reproduce your anomaly, and I am
> just not getting the same results.
> The Default Domain Policy is not being over ridden by an OU policy
> containing changes to password length where the OU is more restrictive
then
> the Default Domain Policy.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
> news:ecFPmupmEHA.3756@TK2MSFTNGP09.phx.gbl...
> > Mike,
> >
> > I teach the MOC which agrees with you . . . BUT in a classroom right
here
> > , right now, we ran several tests.
> >
> > The Results: You can set more restrictive account policies at the OU
> > level, and they take effect.
> > Less restrictive account policies set at the OU level are overwritten by
> > the domain policy.
> >
> > Specifically:
> > DOMAIN Password Length = 8
> > OU Password Length = 10
> > RESULT 10 is enforced
> >
> > DOMAIN Password Length = 10
> > OU Password Length = 8
> > RESULT 10 is enforced
> >
> >
> >
> > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> > news:egnxJlomEHA.1692@TK2MSFTNGP10.phx.gbl...
> >> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> >> news:2qoog6F1194rjU1@uni-berlin.de...
> >>> We have differing user requirements in our domain, so I changed the
> >>> domain
> >>> and default domain policies for password to 'Not configured' and
changed
> >>> the
> >>> relevant OUs that contained my users.
> >>>
> >>> Please note that simply changing those policies to 'Not Configured'
will
> >>> NOT
> >>> change the previous policy setting. You have to define them elsewhere
> >>> for
> >>> your needs to be implemented.
> >>
> >> That will not work. The security policy setting for passwords and some
> >> of the Kerberos settings are only changeable in the default domain
> >> policy. If you change them elsewhere they will have no effect.
> >>
> >> --
> >>
> >> Regards,
> >>
> >> Mike
> >> --
> >> Mike Brannigan [Microsoft]
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights
> >>
> >> Please note I cannot respond to e-mailed questions, please use these
> >> newsgroups
> >>
> >> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
> >> news:2qoog6F1194rjU1@uni-berlin.de...
> >>> We have differing user requirements in our domain, so I changed the
> >>> domain
> >>> and default domain policies for password to 'Not configured' and
changed
> >>> the
> >>> relevant OUs that contained my users.
> >>>
> >>> Please note that simply changing those policies to 'Not Configured'
will
> >>> NOT
> >>> change the previous policy setting. You have to define them elsewhere
> >>> for
> >>> your needs to be implemented.
> >>>
> >>> BOFH
> >>>
> >>> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
> >>> news:#rL#K#nmEHA.3896@TK2MSFTNGP15.phx.gbl...
> >>>> The Group Policy Template is the same regardless of where you link it
> >>>> so
> >>> the
> >>>> option "appears" to be possible at the OU level.
> >>>>
> >>>> Account Polciies can only be implemented at the domain level however
>
> >>>> it
> >>>> make sense because users can access resources anywhere in the domain,
> >>>> so
> >>>> their password requirements should be consistent across the domain.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> "hendricm2003" <hendricm2003@discussions.microsoft.com> wrote in
> >>>> message
> >>>> news:1CE18C4C-EF9D-4BDB-91C1-7AE8F0A05E69@microsoft.com...
> >>>> > If you can only define a password policy in the default domain
> >>>> > settings,
> >>>> > why
> >>>> > do they give you the option to do it in an OU? I want to have
> >>>> > different
> >>>> > password policy settings for each container. Is that possible?
> >>>> >
> >>>> > -Matt
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>
>