Re: Which overrides? AD or Domain Security Policy?

I don't quite see the answer to my primary question. (I know all about how to
set it up):

Will the individual user account settings override the Domain Security
Policy settings?

Thanks-
Brad

"Austin Osuide" wrote:

Hi Brad,

Password policies in a Domain apply to every user account in the domain in
W2K and WS03 AD.
This policy determines:
1. Password History
2. Max Passw Age
3. Min Passw Age
4. Complexity requirements and
5. Password should be stored using reversible encryption

The "Password Never expires" & "Password cannot be changed" Account Control
settings are represented by flags on the userAccountControl attribute of a
user object. You can set these individually for user objects, if you wish,
and have them different for each user object.
See: http://support.microsoft.com/kb/305144

The two entities i.e. password policies and userAccountControl flags are not
related.

Regards,

Austin


"Brad G" <BradG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:87A55C78-6BD1-4A8B-809B-A9F611F867BD@xxxxxxxxxxxxxxxx
I would like to apply strict password policy enforcement via Domain
Security
policy, but need to test it first. We have a mostly mobile workforce and I
need to test the behavior for mobile users. What I would like to do is
apply
it to the Domain Security Policy so it globally affects all users - but
limit
it to just a few for testing at first.

So, if I enable the password requirements in Domain Security policy, but
have User A,B, C in the Active Directory individually configured at the
user-level for 'Password never expires" and "password cannot be changed"
will
that over ride the domain security policy?
Another scenario would be if I wanted to apply it to all users except for
an
administrator, etc, - is this how that would be managed?

Thanks!


.

Relevant Pages

  • Windows2000 Domain Security Policy problem, changes revert back after 1 hour!?!
    ... the domain security policy. ... >account lockout settings and I'd like to get rid of them. ... >this policy currently requires a minimum password length ... >chars and password complexity + account lockout settings ...
    (microsoft.public.win2000.security)
  • Re: Windows2000 Domain Security Policy problem, changes revert back after 1 hour!?!
    ... your replication schedule with sites is ... of default intrasite settings. ... my default domain security policy got changed a few weeks ago ... > chars and password complexity + account lockout settings are disabled. ...
    (microsoft.public.win2000.security)
  • Re: Which overrides? AD or Domain Security Policy?
    ... It is set on the userAccountControl attribute of user objects. ... This will override the domain security account settings. ... >>> So, if I enable the password requirements in Domain Security policy, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Policy
    ... But if you create a new OU, you have those same settings you can modify. ... checked the Domain Security Policy, and those are set to "Not Defined." ... I will do the "net accounts" command tomorrow when I get to work. ... Meaning, whatever password policy ...
    (microsoft.public.windows.server.active_directory)
  • Re: Which overrides? AD or Domain Security Policy?
    ... Password policies in a Domain apply to every user account in the domain in W2K and WS03 AD. ... Max Passw Age ... The two entities i.e. password policies and userAccountControl flags are not related. ... it to the Domain Security Policy so it globally affects all users - but limit ...
    (microsoft.public.windows.server.active_directory)
Loading