Re: Group Policy precedence question

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi
Inline
Group Policy precendence is Local Policy, Site, Domain, OU, Sub-OU.
Now, if you have a password policy set in the Default Domain Policy, it
should filter down to all accounts. However, it seems if you change
password settings (not to expire for example), directly in the user
account, this setting will override the Default Group Policy setting.

I'm glad that MS gave us the option of (not to expire), or else we would be
in deep shi... with service accounts... Expiring all the time.

1) Can you override the Default Group Policy?

- What do you mean...? If you're talking about Password policy then all you
have to do is to create a new Policy at domain level with higher than the
Default Domain Policy. If you're talking about others then as you said:
precendence is Local Policy, Site, Domain, OU, Sub-OU, so all policies
applied at OU, sub OU level override the Default Domain Policy (the
exceptions are: if you're using Loopback policy, Block Policy inheritance,
or Enforce policy "No Override option").

What it the default
behaviour? Would you need to set the enforce (no override) setting in
order to do so?
Not sure what do you mean but: the enforce option "No Override" , overrides
the Block Policy inheritance.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"mikesic" <michaelsic@xxxxxxxxx> wrote in message
news:1155074764.350345.238410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've come across this issue and I'm sure I know the answer, just can't
find supporting documentation from Microsoft.

Group Policy precendence is Local Policy, Site, Domain, OU, Sub-OU.
Now, if you have a password policy set in the Default Domain Policy, it
should filter down to all accounts. However, it seems if you change
password settings (not to expire for example), directly in the user
account, this setting will override the Default Group Policy setting.

So, 2 questions really:

1) Can you override the Default Group Policy? What it the default
behaviour? Would you need to set the enforce (no override) setting in
order to do so?

2) What is the precedence involving user accounts? It's not really
stated in the normal precedence stated above.

Thanks people!



.

Relevant Pages

  • Re: Default Domain Policy Question
    ... > Domain controllers read password policy from the domain ... Account policies when GPO is linked to the DC OU. ... > There can only be one policy per domain for domain accounts. ...
    (microsoft.public.windows.group_policy)
  • Re: GROUP POLICY
    ... What exactly do you mean with "the policy file only appear in the primary DC"? ... domain policy are applied, that's by design. ... GPO: Default Domain Policy ... Computer Setting: 3 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local DC Group Policy being applied for passwrds not the Defau
    ... Default Domain Policy being applied, but the password policies are not being ... Password Policies are being overridden by the local computer policy on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Complex password in Domain GPO not applying anywhere.
    ... We have just found out that the Password must meet complexity ... requirements isn?t working on the domain policy. ... there is a failure in security. ...
    (microsoft.public.windows.server.active_directory)
  • RE: GPO settings are not applied
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
    (microsoft.public.windows.server.active_directory)