Re: Security Policy for OU?

From: Dana Brash (dbrash_at_gmail.com)
Date: 11/09/04 

Date: Tue, 9 Nov 2004 22:03:44 +0800

OK, thanks for the clarification. I thought I'd been doing it wrong
somehow. ;-) Actually, it's always worked for me just as you've described,
but I didn't know if perhaps things had changed in 2003.

=d=

Dana Brash
MCSE, MCDBA, MCSA

dbrash@NOSPAM.gmail.com

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:OyaN5XjxEHA.3624@TK2MSFTNGP09.phx.gbl...
>I think that statement should read "The account policies for domain users
> only apply if they are applied at the domain level; that is, a GPO highest
> in the processing order and linked to the domain".
>
> Some recommend you do nothing with the DDP and DDCP and create your own.
> The DCs pull this info. from the domain; not from a specific linked GPO
> (such as DDP). Just the domain.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "Dana Brash" <dbrash@gmail.com> wrote in message
> news:%23RV5ROixEHA.3968@TK2MSFTNGP10.phx.gbl...
> Sorry for being unclear. Assuming that the policy can be linked, my
> question is based on Ulf's assertion that:
>
> "The account policies for domain users only apply if they are in the
> default domain policy."
>
> Even if the parent's "DDP" is applied at the Child's Toplevel, would the
> account policies take effect?
>
>
> --
> HTH,
> =d=
>
>
> Dana Brash
> MCSE, MCDBA, MCSA
>
> dbrash@NOSPAM.gmail.com
>
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:ujT58bexEHA.3260@TK2MSFTNGP10.phx.gbl...
>> You can link policies anywhere (appropriate permissions allowing) a
>> policy
>> can be linked to, so I see no reason why you couldn't link the parent
>> domain's DDP to a lower domain.
>>
>> --
>>
>> Paul Williams
>>
>> http://www.msresource.net
>> http://forums.msresource.net
>>
>>
>> "Dana Brash" <dbrash@gmail.com> wrote in message
>> news:OVXbTIVxEHA.1392@tk2msftngp13.phx.gbl...
>> But you can link a GPO from the parent domain to an OU in the child
>> domain.
>> Since I just broke my lab, I can't confirm, but is it possible to link
>> the
>> Default Domain Policy from the Parent domain to the top level of the
>> Child
>> domain and have these settings take effect? Or would these settings need
>> to
>> be recreated in the default domain policy of the child domain? This
>> seems
>> redundant...
>> --
>> HTH,
>> =d=
>>
>>
>> Dana Brash
>> MCSE, MCDBA, MCSA
>>
>> dbrash@NOSPAM.gmail.com
>>
>> "Steve Bruce, mct" <swb_mct@msn.com> wrote in message
>> news:%23S$ZoCVxEHA.1264@TK2MSFTNGP12.phx.gbl...
>>> There is no policy inheritance from parent to child domains for any
>>> types
>>> of policies.
>>>
>>>
>>> "frankcvc" <frankcvc@discussions.microsoft.com> wrote in message
>>> news:C9AFC5AD-2EEE-4AF7-B742-C5199E86E8DE@microsoft.com...
>>>>
>>>> Thanks for your response, Ulf. I guess, for an OU, it can only inherit
>>>> the
>>>> domain's account policies. Although you may create a policy for an OU
>>>> with
>>>> Account Policy configured, it wouldn't take any effect..
>>>>
>>>> Would a domain policy be inherited by its child domain? Couldn't test
>>>> it
>>>> since I am running a single domain forest.
>>>>
>>>> Frank
>>>>
>>>> "Ulf B. Simon-Weidner [MVP]" wrote:
>>>>
>>>>> "frankcvc" <frankcvc@discussions.microsoft.com> wrote in message
>>>>> news:frankcvc@discussions.microsoft.com:
>>>>> > Can you set up the security GPO at OU level, such as account and
>>>>> > password
>>>>> > policies? I created such a policy but it didn't work. If it doesn't
>>>>> > work,
>>>>> > why
>>>>> > Microsoft still made the options available in GPO editor?
>>>>> > Is there are a way to block domain default security settings? Tried
>>>>> > to
>>>>> > but
>>>>> > it didn't work either. Wish someone could confirm my testing
>>>>> > result.
>>>>> >
>>>>> > Many thanks,
>>>>> >
>>>>>
>>>>> Hello Frank,
>>>>>
>>>>> The account policies for domain users only apply if they are in the
>>>>> default domain policy.
>>>>>
>>>>> Account policies in every other policy only apply to local useraccount
>>>>> for the machine on whose the policy applies. E.g. the default domain
>>>>> controller policy only applies for the local sam, that means the local
>>>>> administrator account which is used to access the directory restore
>>>>> mode.
>>>>>
>>>>> --
>>>>> Gruesse - Sincerely,
>>>>>
>>>>> Ulf B. Simon-Weidner
>>>>>
>>>>> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>>>>> Weblog: http://msmvps.org/UlfBSimonWeidner
>>>>> WebSite: http://www.windowsserverfaq.org
>>>>>
>>>
>>>
>>
>>
>>
>
>
>

Relevant Pages

  • Re: Account Policies
    ... "Miles" wrote in message ... > working greatexcept account policies. ... > created as the original Default Domain Policy? ...
    (microsoft.public.win2000.group_policy)
  • RE: Filter GPO by group
    ... Technet recommends to not alter the default Domain policy, ... a new GPO, link it to the domain and enforce it. ... can you still stop those settings from ... > You cannot set account policies more than once in a Domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: changing defaul password ttl
    ... Default Domain Policy and set the Maximum Password Age to 60 days. ... Security Settings -> Account Policies -> Password Policy ...
    (microsoft.public.windows.server.general)
  • Re: 2003 GP/Password complexity questions
    ... In regards to the 'Default Domain Policy' question: ... BUT recommends to be done in the Default Domain Policy: ... it returns a section named "Account policies: Security Setting ...
    (microsoft.public.windows.server.active_directory)
  • Account Policies
    ... Windows XP SP2 on my Admin workstation. ... working greatexcept account policies. ... created as the original Default Domain Policy? ...
    (microsoft.public.win2000.group_policy)