Re: Security Policy for OU?
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 11/08/04
- Next message: ptwilliams: "Re: "Screen Saver Protection""
- Previous message: Cary Fields: "Re: Delegate Control question"
- In reply to: frankcvc: "Re: Security Policy for OU?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 8 Nov 2004 23:11:07 -0000
If you think about this, everything makes sense. When you logon using a
domain account the DC authenticates you - not the local SAM. Therefore
applying the policy at a level whereby the domain controllers are not within
scope will only apply that policy to the machines within scope -hence, the
new restrictions at the local SAM level.
What complicates things here, is that there's a 'special' aspect to this,
whereby the domain controllers 'pull' this info. from the domain only (as
they are the domain).
You may also wish to apply local restrictions to machines -so that any local
accounts cannot have silly or blank passwords (although there is a
workaround that will enable user accounts to not have any password even with
password restrictions in place).
Hope this helps,
(If management give you hassle, tell them you'll need a new domain and
therefore at least another two servers and services licenses - they'll soon
forget about how difficult it is to put a capital letter and a number in
their Pa55w0rd ;-)
-- Paul Williams http://www.msresource.net http://forums.msresource.net "frankcvc" <frankcvc@discussions.microsoft.com> wrote in message news:C9AFC5AD-2EEE-4AF7-B742-C5199E86E8DE@microsoft.com... Thanks for your response, Ulf. I guess, for an OU, it can only inherit the domain's account policies. Although you may create a policy for an OU with Account Policy configured, it wouldn't take any effect.. Would a domain policy be inherited by its child domain? Couldn't test it since I am running a single domain forest. Frank "Ulf B. Simon-Weidner [MVP]" wrote: > "frankcvc" <frankcvc@discussions.microsoft.com> wrote in message > news:frankcvc@discussions.microsoft.com: > > Can you set up the security GPO at OU level, such as account and > > password > > policies? I created such a policy but it didn't work. If it doesn't > > work, > > why > > Microsoft still made the options available in GPO editor? > > Is there are a way to block domain default security settings? Tried to > > but > > it didn't work either. Wish someone could confirm my testing result. > > > > Many thanks, > > > > Hello Frank, > > The account policies for domain users only apply if they are in the > default domain policy. > > Account policies in every other policy only apply to local useraccount > for the machine on whose the policy applies. E.g. the default domain > controller policy only applies for the local sam, that means the local > administrator account which is used to access the directory restore > mode. > > -- > Gruesse - Sincerely, > > Ulf B. Simon-Weidner > > MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz > Weblog: http://msmvps.org/UlfBSimonWeidner > WebSite: http://www.windowsserverfaq.org >
- Next message: ptwilliams: "Re: "Screen Saver Protection""
- Previous message: Cary Fields: "Re: Delegate Control question"
- In reply to: frankcvc: "Re: Security Policy for OU?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
