Re: To those who designed Group Policy in Active Directory

"Wasi" <Wasi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7293D73-AE6D-4497-976E-0502A2A59F6B@xxxxxxxxxxxxxxxx
> Addition to the my last post....
>
> I know what I tried was ambiguous...as both the normal password
> policy(applied at domain level) and the strict password policy (applied to
> the OU) were applying to that computer account. So, if you got what I am
> trying to implement, what do u reckon, it's possible or I can only do that
> using password filters(not very happy to go that way).

As per my other response - there is only setting of password and other
security settings (Kerberos limits etc) at the Domain level in the current
Windows Server products.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Wasi" <Wasi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7293D73-AE6D-4497-976E-0502A2A59F6B@xxxxxxxxxxxxxxxx
> Addition to the my last post....
>
> I know what I tried was ambiguous...as both the normal password
> policy(applied at domain level) and the strict password policy (applied to
> the OU) were applying to that computer account. So, if you got what I am
> trying to implement, what do u reckon, it's possible or I can only do that
> using password filters(not very happy to go that way).
>
> Thanks.
> Wasi
>
>
>
> "Wasi" wrote:
>
>> Hi,
>> I understand that, but think about this, you want to apply a password
>> policy to your domain(all users in all OUs) and a stricter password
>> policy to
>> IT or Domain Admin group, which has to be applied to the domain level as
>> the
>> IT staff is scattered all accross sites and it is not possible to
>> restructure
>> and put all the computers that belong to IT staff to put into one
>> specific
>> OU(IT can log into any Domain Computer anyway). What will u do?
>> I put all the IT accounts in an OU and also move the IT group to that OU
>> and
>> applied the stricter Password Policy To That OU and that IT group, but it
>> didn't fix the problem. Because the USER ACCOUNT PASSWORD has something
>> to do
>> with the computer. So I move 2 computer accounts to that OU and the
>> policy
>> started applying to those computers when I checked using RSOP.
>>
>> Mysterious Mysterious Mysterious.
>>
>> Thanks for replying guys.
>> Wasi.
>>
>> "Dmitri Gavrilov [MSFT]" wrote:
>>
>> > I did not design GP, but I will take a shot.
>> >
>> > Password policy granularity is computer. All users living in this
>> > computer's
>> > local account store are being subjected to the same password policy. It
>> > cannot be customized per user. That's why pwd policy is a computer
>> > setting.
>> >
>> > User configuration GP settings are user-specific, and can be different
>> > from
>> > user to user.
>> >
>> > --
>> > Dmitri Gavrilov
>> > SDE, Active Directory Core
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> > Use of included script samples are subject to the terms specified at
>> > http://www.microsoft.com/info/cpyright.htm
>> >
>> > "Wasi" <Wasi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> > news:C45188AC-127F-47BA-AC29-13D01D8C0E02@xxxxxxxxxxxxxxxx
>> > > Hi,
>> > > Will you please enlighten me as to why Password policy is in the
>> > > Computer
>> > > Configuration Section and not in the User Configuration Section, even
>> > > though
>> > > it applies to users. Same about User Account Policies, I am very
>> > > curious
>> > > to
>> > > know the great logic behind it.
>> > >
>> > > Thanks,
>> > > Wasi
>> >
>> >
>> >


.