Re: 2003 GP/Password complexity questions

Hey Scott,

In regards to the 'Default Domain Policy' question:
The reason for the confusion is MS has sometimes conflicting and/or
ambiguish documentation. For example, this link states "at a domain level",
BUT recommends to be done in the Default Domain Policy:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/47da8283-2c82-4f91-a148-a20a2e21a96f.mspx

However, if you open Help and Support on Win2003, do a search for 'Account
Policies', it returns a section named "Account policies: Security Setting
Descriptions" (listed as #10 on my results). It explicitly states it "must
be defined in the Default Domain Policy". And further explains the correct
reason why it should be set there...Domain Controllers only read this
information from this location. It does this becauses each DC must be able
to maintain continuity of account options regardless of what DC a user
authenticates against. This is important and I would follow this rule as a
Best Practice.

Other articles that may help:
http://support.microsoft.com/default.aspx?kbid=269236
http://support.microsoft.com/default.aspx?kbid=255550

In regards to the policy setup:
I would review the GP Infrastructure Guide on some Best Practices for how to
setup OU's for GPO deployment:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en

In general, based on the info you provided:
Default Domain Policy: Maintain all Account Policies. This will apply to all
users and computers (workstations and servers)
Security Settings/Software Installation: This very much depends on your OU
structure. If you are a small environment, you may be able to simply create
a new domain level policy that sets security settings you want to be global
to all users and computers. However, if you need granularity based on your
OU structure, you can create OU-specific policies to target them more to
your needs.


Other references that will help:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/gp/default.mspx

Althought these are more about security, the informatin about GPO's is VERY
valuable:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=1b6acf93-147a-4481-9346-f93a4081eea8

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

http://www.microsoft.com/downloads/details.aspx?FamilyID=4e734065-3f18-488a-be1e-f03390ec5f91&DisplayLang=en

Hope that helps!
G


.

Relevant Pages

  • Re: User account with blank password on 2k3 DC
    ... Please post all settings from the default domain policy or equivalent on that level. ... No other password policy will apply regardless where you configure it. ... restrictions on the GPO and Domain GPO, ... Kind regards. ...
    (microsoft.public.windows.server.general)
  • Re: OU Policy not applying to a computer
    ... Regards, ... Microsoft MVP - Directory Services ... It applies the domain policy ...
    (microsoft.public.win2000.group_policy)
  • Re: password complexity issue
    ... domain policy yet but, im not sure where it is getting its config from. ... > Password must meet complexity requirement - Disabled ... > Enforce Password History -0 ...
    (microsoft.public.windows.server.migration)
  • Default Domain Policy Corrupted?
    ... When I try to edit the Default Domain Policy, ... How can I fix this? ... Regards, ...
    (microsoft.public.windows.server.sbs)
  • Re: Security Policy for OU?
    ... >I think that statement should read "The account policies for domain users ... >> But you can link a GPO from the parent domain to an OU in the child ... >> Default Domain Policy from the Parent domain to the top level of the ...
    (microsoft.public.windows.server.active_directory)
Loading