Re: Default Domain Policy
From: Marsha (Marsha_at_discussions.microsoft.com)
Date: 11/12/04
- Next message: Marsha: "Re: Domain Password Policy"
- Previous message: LoriP: "Can only create/edit new Group Policy on DC holding PDC role"
- In reply to: ptwilliams: "Re: Default Domain Policy"
- Next in thread: Ketan: "Re: Default Domain Policy"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 11 Nov 2004 18:19:02 -0800
Thanks for your help!! I'll have to do some testing and I have considered
the other domain theory. Just seems like such a waste, but it may be the
only option if the override on the user account doesn't work. Appreciate
your insight.
"ptwilliams" wrote:
> > can setting the 'password never expires' parameter on the user account
> > block a domain policy?
>
> I would think this overrides, but would have to run some tests to be sure.
>
>
> > If I have service accounts or dial up users using cached profiles that I
> > want to exclude from the domain password policy, can I do it at the
> > individual user level?
>
> The only way I know of how to do this is to not have a password : (
> -- http://www.msresource.net/content/view/21/48/
>
>
> > Any suggestions or insight?
>
> Nothing other than what I've written. In the literature, this is one of the
> reasons they give you for another domain.
>
> Sorry,
>
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "Marsha" <Marsha@discussions.microsoft.com> wrote in message
> news:1B9ABC25-0AB0-4624-9F12-61081B20A78F@microsoft.com...
> One last question...can setting the 'password never expires' parameter on
> the
> user account block a domain policy? If I have service accounts or dial up
> users using cached profiles that I want to exclude from the domain password
> policy, can I do it at the individual user level? I have generic accounts,
> service accounts, and those dial up users whose cached accounts would never
> get updated and I'm looking for any way to exclude them. Any suggestions or
> insight?
>
> "ptwilliams" wrote:
>
> > I understand policy application order and precedence. What I don't
> > understand is how what you claim to work does indeed work. This doesn't
> > affect individual computers (it does, but not in the context that we're
> > talking about) - it affects domain controllers and therefore the domain.
> > So
> > how does setting a policy at the OU level affect how the DCs process logon
> > requests?
> >
> > Seeing what you've tested and are now stating, perhaps one of the AD
> > Developers could get involved. This is contrary to all documentation that
> > I've read, and goes against how I understand this works...
> >
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net
> > http://forums.msresource.net
> >
> >
> > "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
> > news:OAfMUHyxEHA.1452@TK2MSFTNGP11.phx.gbl...
> > As the administator, you can link different policies to Sites, Domains and
> > OU's.
> >
> > The order of precedence is also Site > Domain > OU. meaning that if a
> > Domain Policy settting conflicts with a Site setting, the domain setting
> > prevails and if an OU setting conflicts with a Site or Domain setting, the
> > OU policy prevails.
> >
> > "ptwilliams" <ptw2001@hotmail.com> wrote in message
> > news:uHejHZexEHA.2192@TK2MSFTNGP14.phx.gbl...
> > > Can you explain how that can work?
> > >
> > > Obviously this will be the case at the local SAM. But how can a DC
> > > process
> > > differing policies based on the logical location within the database?
> > >
> > >
> > > --
> > >
> > > Paul Williams
> > >
> > > http://www.msresource.net
> > > http://forums.msresource.net
> > >
> > >
> > > "Steve Bruce, mct" <swb_mct@msn.com> wrote in message
> > > news:uogj$BVxEHA.3416@TK2MSFTNGP09.phx.gbl...
> > > You will probably get some contradictory info on this question. It is
> > > generally held by Microsoft and all Microsoft experts that that account
> > > policies are a domain wide property.
> > >
> > > However with Server 2003 domains it has been found that settings more
> > > restrictive than the domain policy can be set at the OU level, but not
> > > less
> > > restrictive policies. You will get people saying that this isn't true
> > > and
> > > stating that there can only be a single account policy in effect for the
> > > entire domain. To everyone's surprise it can be demostrated by anyone
> > > who
> > > takes the time to test, that more restrictive policies can be effected
> > > at
> > > the OU level.
> > >
> > > You couild approach your objective by leaving the domain policy
> > > non-restrictive, then place more restrictive policies per OU. This
> > > would
> > > no
> > > involve blocking the policy from the domain which by design does not
> > > work.
> > >
> > >
> > >
> > > "Marsha" <Marsha@discussions.microsoft.com> wrote in message
> > > news:E2B12292-1D83-4329-B469-BB01E40601F3@microsoft.com...
> > >> Hi,
> > >>
> > >> I am trying to slowly implement our password policy throughout our
> > >> domain.
> > >> Management does not want to turn the password policy on for everyone at
> > >> the
> > >> same time for fear of an overwhelming number of help desk calls. My
> > >> objective is to block inheritance of the default domain policy for the
> > >> OU's
> > >> that I want to wait to apply the policy and leave the other OU's open.
> > >> I've
> > >> tested this and found that it does not work. My question is...can I
> > >> block
> > >> the default domain policy (which does not have the no override set) for
> > >> specific OU's until I am ready to apply the policy to everyone? Thanks
> > >> so
> > >> much for any feedback. I'm beyond frustrated!
> > >>
> > >> Marsha
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>
- Next message: Marsha: "Re: Domain Password Policy"
- Previous message: LoriP: "Can only create/edit new Group Policy on DC holding PDC role"
- In reply to: ptwilliams: "Re: Default Domain Policy"
- Next in thread: Ketan: "Re: Default Domain Policy"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
