Re: Account Policys - Inheritance or not ?

From: Mal Osborne (malcolmo_at_silverfern.com.au)
Date: 09/15/04 

Date: Wed, 15 Sep 2004 17:29:54 +0800

Password policies are an attribute of devices that store passwords.

 Setting a password on a user is silly, since the user does not store the
password. A DC or a machine's local security policy are affected by
password policies. Since DCs replicate, & are usually all in the same OU
anyway, differing password policies are not really implementable. Differing
password policies for local user accounts on non DCs I guess could be done,
say haveing a min 6 char password on your local account, & 8 on the domain.

Mal Osborne
MCSE MVP Mensa

"Steve Bruce, mct" <steve@xmaslake.com> wrote in message
news:eQyvN4pmEHA.592@TK2MSFTNGP11.phx.gbl...
> Just looking for feedback:
>
> On another newsgroup there was a debate about whether Account policies are
> a domain property that cannot be successfully modified at the OU level.
>
> The Microsoft Official Curriculum says "If you need 2 account policies,
> you need 2 domains".
> A MSFT person on the other newsgroup agreed with the Curriculum
> A user says he has succesfully set different policies at the OU level
>
> We ran a careful test today:
>
> The Results: You can set more restrictive account policies than the
> domain policies at the OU
> level, and they take effect.
>
> Less restrictive account policies set at the OU level are overwritten by
> the
> domain policy.
>
> Specifically - an example
> DOMAIN Password Length = 8
> OU Password Length = 10
> RESULT 10 is enforced
>
> DOMAIN Password Length = 10
> OU Password Length = 8
> RESULT 10 is enforced
>
> Can anyone explain why Microsoft seems to say one thing and the behavior
> is different . . . are we missing some something?
>
>
>
>

Relevant Pages

  • Re: Group Polices - Account Policies - Password Enforcement
    ... > Account policies to only apply the staff users in the ... > of Account Policy password policies. ... >>Kyle Account Policies within a Group Policy applies to ... >>> do this under Computer Configuration (as opposed to ...
    (microsoft.public.win2000.active_directory)
  • DC GPO - password policy not enforced
    ... I have changed some files system security and suddenly ... The password policies settings are still in the GPO file. ... All policies including security, auditing, file system, registry, etc ...
    (microsoft.public.win2000.group_policy)
  • Re: Account Policys - Inheritance or not ?
    ... The point being addressed here is: More restrictive domain account ... policies can be configured for all users in an OU than the account policies ... > Password policies are an attribute of devices that store passwords. ...
    (microsoft.public.windows.server.sbs)
  • Re: Applying password policies
    ... >From what I have read from Microsoft, Account Policies ... Policies from the Domain Policy and apply them to all OUs? ... If you need two separate password policies then ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Polices - Account Policies - Password Enforcement
    ... Password Policies are domain wide and can only be setup at once for each ... >>Christoffer Andersson ... >>> I'd like to apply Account Policies to enforce password ... >>> command, and I replicate, but the settings don't take. ...
    (microsoft.public.win2000.active_directory)