Re: AD and GPO's

From: Steve Bruce, mct (swb_mct_at_msn.com)
Date: 09/15/04 

Date: Wed, 15 Sep 2004 12:52:32 -0500

Yes it is on server 2003. An yes we did it on 6 different domains in a
classroom - same results in all 6 cases. We only tested password length
because it is the one that can be verified in a short period of time.

Password policies can be more restrictive on OU's

This must be is a change with Server 2003 - because I am pretty sure that it
was not true with 2000.

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:uznWU7vmEHA.2020@TK2MSFTNGP09.phx.gbl...
> Steve,
>
> Is this on Server 2003 as I am trying to reproduce your anomaly, and I am
> just not getting the same results.
> The Default Domain Policy is not being over ridden by an OU policy
> containing changes to password length where the OU is more restrictive
> then the Default Domain Policy.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
> news:ecFPmupmEHA.3756@TK2MSFTNGP09.phx.gbl...
>> Mike,
>>
>> I teach the MOC which agrees with you . . . BUT in a classroom right
>> here
>> , right now, we ran several tests.
>>
>> The Results: You can set more restrictive account policies at the OU
>> level, and they take effect.
>> Less restrictive account policies set at the OU level are overwritten by
>> the domain policy.
>>
>> Specifically:
>> DOMAIN Password Length = 8
>> OU Password Length = 10
>> RESULT 10 is enforced
>>
>> DOMAIN Password Length = 10
>> OU Password Length = 8
>> RESULT 10 is enforced
>>
>>
>>
>> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
>> news:egnxJlomEHA.1692@TK2MSFTNGP10.phx.gbl...
>>> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
>>> news:2qoog6F1194rjU1@uni-berlin.de...
>>>> We have differing user requirements in our domain, so I changed the
>>>> domain
>>>> and default domain policies for password to 'Not configured' and
>>>> changed
>>>> the
>>>> relevant OUs that contained my users.
>>>>
>>>> Please note that simply changing those policies to 'Not Configured'
>>>> will
>>>> NOT
>>>> change the previous policy setting. You have to define them elsewhere
>>>> for
>>>> your needs to be implemented.
>>>
>>> That will not work. The security policy setting for passwords and some
>>> of the Kerberos settings are only changeable in the default domain
>>> policy. If you change them elsewhere they will have no effect.
>>>
>>> --
>>>
>>> Regards,
>>>
>>> Mike
>>> --
>>> Mike Brannigan [Microsoft]
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights
>>>
>>> Please note I cannot respond to e-mailed questions, please use these
>>> newsgroups
>>>
>>> "BOFH" <john.hamilton70@ntlworld.com> wrote in message
>>> news:2qoog6F1194rjU1@uni-berlin.de...
>>>> We have differing user requirements in our domain, so I changed the
>>>> domain
>>>> and default domain policies for password to 'Not configured' and
>>>> changed
>>>> the
>>>> relevant OUs that contained my users.
>>>>
>>>> Please note that simply changing those policies to 'Not Configured'
>>>> will
>>>> NOT
>>>> change the previous policy setting. You have to define them elsewhere
>>>> for
>>>> your needs to be implemented.
>>>>
>>>> BOFH
>>>>
>>>> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
>>>> news:#rL#K#nmEHA.3896@TK2MSFTNGP15.phx.gbl...
>>>>> The Group Policy Template is the same regardless of where you link it
>>>>> so
>>>> the
>>>>> option "appears" to be possible at the OU level.
>>>>>
>>>>> Account Polciies can only be implemented at the domain level however >
>>>>> it
>>>>> make sense because users can access resources anywhere in the domain,
>>>>> so
>>>>> their password requirements should be consistent across the domain.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> "hendricm2003" <hendricm2003@discussions.microsoft.com> wrote in
>>>>> message
>>>>> news:1CE18C4C-EF9D-4BDB-91C1-7AE8F0A05E69@microsoft.com...
>>>>> > If you can only define a password policy in the default domain
>>>>> > settings,
>>>>> > why
>>>>> > do they give you the option to do it in an OU? I want to have
>>>>> > different
>>>>> > password policy settings for each container. Is that possible?
>>>>> >
>>>>> > -Matt
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>