Re: Simple question on Group Policy, Password policy and blocking inheritance



My point was that you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain, which isn't possible with W2k3.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Harj" <cisqokid@xxxxxxxxx> wrote in message news:1180555960.004593.13870@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On May 30, 3:13 pm, "Jorge Silva" <jorgesilva...@xxxxxxxxxxx> wrote:
Hi Jason, please see answers inline

>I have been working with a company to solve a issue, where they are
> trying to enforce a password policy for the entire company.

Simple, create a policy and make sure that is linked at domain level.

> Simple enough. I know that you create a new GPO and link it to the
> ROOT of the domain to be enforced to the domain. If you link it to a
> OU, it only affects local machines, which is what we don't want.

In Windows 2008 you'll have more granular configuration for password
policies at OU level.

> It is a little confusing as well because I am also in the process of
> restoring their 'Default Domain Policy' and 'Default Domain Controller
> Policy' which have been heavily modified.

Recreatedefpol.exe is to rebuild default settings for Domain Policy and
domain controllers policy.

> They have the new Company Password GPO linked to the root of the
> domain and enforced. However, the password policy is not working.

If isn't working you can use gpresult and/or RSOP.msc to try to isolate the
problem.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services"Jason W." <jasonwilliam...@xxxxxxxxx> wrote in message

news:1180550813.472258.6710@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



>I have been working with a company to solve a issue, where they are
> trying to enforce a password policy for the entire company.

> Simple enough. I know that you create a new GPO and link it to the
> ROOT of the domain to be enforced to the domain. If you link it to a
> OU, it only affects local machines, which is what we don't want.

> It is a little confusing as well because I am also in the process of
> restoring their 'Default Domain Policy' and 'Default Domain Controller
> Policy' which have been heavily modified.

> Anyway, I wanted to run by something and see if this sounds right.

> They have the new Company Password GPO linked to the root of the
> domain and enforced. However, the password policy is not working.

> Looking through GPMC, I noticed that on the 'Domain Controller' OU,
> they have set that OU to 'Block Inheritance'.

> My first thought was, that is the problem. The Domain Controllers
> cannot receive this GP and the settings, which will not allow the
> Domain controllers to enforce the password settings for the domain.

> Just wanted to clarify if my thinking is correct.

> Thanks,

> Cheers.

> Jas- Hide quoted text -

- Show quoted text -

Hi,

2008 aka Longhorn is going to be really cool once it is out but there
is some mis conception of the "granular policies" within 2008

In Windows 2008 you'll have more granular configuration for password
policies at OU level.

You will be unable to configure fine granular password policies to an
Organizational Unit. They can only only apply to users or groups. Not
just any group, only global groups.
Added the fact there is no GUI and it must be configured via Adsiedit,
not for the faint hearted as you will find in the following article.

Step-by-Step Guide for Fine-Grained Password and Account Lockout
Policy Configuration
http://technet2.microsoft.com/windowsserver/longhorn/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx?mfr=true

Good luck

Harj Singh
Password Policy Done Right
www.specopssoft.com


.