Re: Security Policy for OU?
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 11/09/04
- Previous message: ptwilliams: "Re: Win2003 AD Root DC"
- In reply to: Dana Brash: "Re: Security Policy for OU?"
- Next in thread: Dana Brash: "Re: Security Policy for OU?"
- Reply: Dana Brash: "Re: Security Policy for OU?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 9 Nov 2004 08:27:37 -0000
I think that statement should read "The account policies for domain users
only apply if they are applied at the domain level; that is, a GPO highest
in the processing order and linked to the domain".
Some recommend you do nothing with the DDP and DDCP and create your own.
The DCs pull this info. from the domain; not from a specific linked GPO
(such as DDP). Just the domain.
-- Paul Williams http://www.msresource.net http://forums.msresource.net "Dana Brash" <dbrash@gmail.com> wrote in message news:%23RV5ROixEHA.3968@TK2MSFTNGP10.phx.gbl... Sorry for being unclear. Assuming that the policy can be linked, my question is based on Ulf's assertion that: "The account policies for domain users only apply if they are in the default domain policy." Even if the parent's "DDP" is applied at the Child's Toplevel, would the account policies take effect? -- HTH, =d= Dana Brash MCSE, MCDBA, MCSA dbrash@NOSPAM.gmail.com "ptwilliams" <ptw2001@hotmail.com> wrote in message news:ujT58bexEHA.3260@TK2MSFTNGP10.phx.gbl... > You can link policies anywhere (appropriate permissions allowing) a policy > can be linked to, so I see no reason why you couldn't link the parent > domain's DDP to a lower domain. > > -- > > Paul Williams > > http://www.msresource.net > http://forums.msresource.net > > > "Dana Brash" <dbrash@gmail.com> wrote in message > news:OVXbTIVxEHA.1392@tk2msftngp13.phx.gbl... > But you can link a GPO from the parent domain to an OU in the child > domain. > Since I just broke my lab, I can't confirm, but is it possible to link the > Default Domain Policy from the Parent domain to the top level of the Child > domain and have these settings take effect? Or would these settings need > to > be recreated in the default domain policy of the child domain? This seems > redundant... > -- > HTH, > =d= > > > Dana Brash > MCSE, MCDBA, MCSA > > dbrash@NOSPAM.gmail.com > > "Steve Bruce, mct" <swb_mct@msn.com> wrote in message > news:%23S$ZoCVxEHA.1264@TK2MSFTNGP12.phx.gbl... >> There is no policy inheritance from parent to child domains for any types >> of policies. >> >> >> "frankcvc" <frankcvc@discussions.microsoft.com> wrote in message >> news:C9AFC5AD-2EEE-4AF7-B742-C5199E86E8DE@microsoft.com... >>> >>> Thanks for your response, Ulf. I guess, for an OU, it can only inherit >>> the >>> domain's account policies. Although you may create a policy for an OU >>> with >>> Account Policy configured, it wouldn't take any effect.. >>> >>> Would a domain policy be inherited by its child domain? Couldn't test it >>> since I am running a single domain forest. >>> >>> Frank >>> >>> "Ulf B. Simon-Weidner [MVP]" wrote: >>> >>>> "frankcvc" <frankcvc@discussions.microsoft.com> wrote in message >>>> news:frankcvc@discussions.microsoft.com: >>>> > Can you set up the security GPO at OU level, such as account and >>>> > password >>>> > policies? I created such a policy but it didn't work. If it doesn't >>>> > work, >>>> > why >>>> > Microsoft still made the options available in GPO editor? >>>> > Is there are a way to block domain default security settings? Tried >>>> > to >>>> > but >>>> > it didn't work either. Wish someone could confirm my testing result. >>>> > >>>> > Many thanks, >>>> > >>>> >>>> Hello Frank, >>>> >>>> The account policies for domain users only apply if they are in the >>>> default domain policy. >>>> >>>> Account policies in every other policy only apply to local useraccount >>>> for the machine on whose the policy applies. E.g. the default domain >>>> controller policy only applies for the local sam, that means the local >>>> administrator account which is used to access the directory restore >>>> mode. >>>> >>>> -- >>>> Gruesse - Sincerely, >>>> >>>> Ulf B. Simon-Weidner >>>> >>>> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz >>>> Weblog: http://msmvps.org/UlfBSimonWeidner >>>> WebSite: http://www.windowsserverfaq.org >>>> >> >> > > >
- Previous message: ptwilliams: "Re: Win2003 AD Root DC"
- In reply to: Dana Brash: "Re: Security Policy for OU?"
- Next in thread: Dana Brash: "Re: Security Policy for OU?"
- Reply: Dana Brash: "Re: Security Policy for OU?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
