Re: Which overrides? AD or Domain Security Policy?

The "Password Never expires" & "Password cannot be changed" Account
Control

This will override the domain security account settings.
I usually use this setting for accounts that services are running under. I
manually go through and change the passwords periodically.

hth
DDS

"Brad G" <BradG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82077F46-C976-4F3F-8FA5-EADD92AA1863@xxxxxxxxxxxxxxxx
I don't quite see the answer to my primary question. (I know all about how
to
set it up):

Will the individual user account settings override the Domain Security
Policy settings?

Thanks-
Brad

"Austin Osuide" wrote:

Hi Brad,

Password policies in a Domain apply to every user account in the domain
in
W2K and WS03 AD.
This policy determines:
1. Password History
2. Max Passw Age
3. Min Passw Age
4. Complexity requirements and
5. Password should be stored using reversible encryption

The "Password Never expires" & "Password cannot be changed" Account
Control
settings are represented by flags on the userAccountControl attribute of
a
user object. You can set these individually for user objects, if you
wish,
and have them different for each user object.
See: http://support.microsoft.com/kb/305144

The two entities i.e. password policies and userAccountControl flags are
not
related.

Regards,

Austin


"Brad G" <BradG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:87A55C78-6BD1-4A8B-809B-A9F611F867BD@xxxxxxxxxxxxxxxx
I would like to apply strict password policy enforcement via Domain
Security
policy, but need to test it first. We have a mostly mobile workforce
and I
need to test the behavior for mobile users. What I would like to do is
apply
it to the Domain Security Policy so it globally affects all users - but
limit
it to just a few for testing at first.

So, if I enable the password requirements in Domain Security policy,
but
have User A,B, C in the Active Directory individually configured at the
user-level for 'Password never expires" and "password cannot be
changed"
will
that over ride the domain security policy?
Another scenario would be if I wanted to apply it to all users except
for
an
administrator, etc, - is this how that would be managed?

Thanks!




.

Relevant Pages

  • Re: Which overrides? AD or Domain Security Policy?
    ... It is set on the userAccountControl attribute of user objects. ... This will override the domain security account settings. ... >>> So, if I enable the password requirements in Domain Security policy, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Which overrides? AD or Domain Security Policy?
    ... Will the individual user account settings override the Domain Security ... So, if I enable the password requirements in Domain Security policy, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password complexity policy not being enforced
    ... method I used before (from the AD Users and Computers console), ... Why am I seeing different Security Settings?? ... If I go to my second DC using the Domain Security ... One of which is the Domain Security Policy. ...
    (microsoft.public.win2000.group_policy)
  • Windows2000 Domain Security Policy problem, changes revert back after 1 hour!?!
    ... I have quite a frustrating problem with the Default Domain Security ... Policy in my Active Directory domain. ... account lockout settings and I'd like to get rid of them. ... chars and password complexity + account lockout settings are disabled. ...
    (microsoft.public.win2000.security)
  • Re: Domain Security Policy change
    ... Yes this was done in the domain Security policy. ... >> changed the user account lockout policy from default ... >> test user who is just a normal user in the domain to ...
    (microsoft.public.windows.server.active_directory)