Re: Account Policys - Inheritance or not ?

From: Steve Bruce, mct (swb_mct_at_msn.com)
Date: 09/15/04 

Date: Wed, 15 Sep 2004 08:25:53 -0500

The point being addressed here is: More restrictive domain account
policies can be configured for all users in an OU than the account policies
for the domain. (Which was a surprise to me given contradictory info in
some Micorosoft Documentation - and is apparently "news" to some MSFT people
who contribute to the newgroups)

"Mal Osborne" <malcolmo@silverfern.com.au> wrote in message
news:Oa1CJawmEHA.3632@TK2MSFTNGP09.phx.gbl...
>
> Password policies are an attribute of devices that store passwords.
>
> Setting a password on a user is silly, since the user does not store the
> password. A DC or a machine's local security policy are affected by
> password policies. Since DCs replicate, & are usually all in the same OU
> anyway, differing password policies are not really implementable.
> Differing password policies for local user accounts on non DCs I guess
> could be done, say haveing a min 6 char password on your local account, &
> 8 on the domain.
>
> Mal Osborne
> MCSE MVP Mensa
>
>
> "Steve Bruce, mct" <steve@xmaslake.com> wrote in message
> news:eQyvN4pmEHA.592@TK2MSFTNGP11.phx.gbl...
>> Just looking for feedback:
>>
>> On another newsgroup there was a debate about whether Account policies
>> are a domain property that cannot be successfully modified at the OU
>> level.
>>
>> The Microsoft Official Curriculum says "If you need 2 account policies,
>> you need 2 domains".
>> A MSFT person on the other newsgroup agreed with the Curriculum
>> A user says he has succesfully set different policies at the OU level
>>
>> We ran a careful test today:
>>
>> The Results: You can set more restrictive account policies than the
>> domain policies at the OU
>> level, and they take effect.
>>
>> Less restrictive account policies set at the OU level are overwritten by
>> the
>> domain policy.
>>
>> Specifically - an example
>> DOMAIN Password Length = 8
>> OU Password Length = 10
>> RESULT 10 is enforced
>>
>> DOMAIN Password Length = 10
>> OU Password Length = 8
>> RESULT 10 is enforced
>>
>> Can anyone explain why Microsoft seems to say one thing and the behavior
>> is different . . . are we missing some something?
>>
>>
>>
>>
>
>

Relevant Pages

  • Re: Account Policys - Inheritance or not ?
    ... Password policies are an attribute of devices that store passwords. ... > On another newsgroup there was a debate about whether Account policies are ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Polices - Account Policies - Password Enforcement
    ... > Account policies to only apply the staff users in the ... > of Account Policy password policies. ... >>Kyle Account Policies within a Group Policy applies to ... >>> do this under Computer Configuration (as opposed to ...
    (microsoft.public.win2000.active_directory)
  • Re: Group Polices - Account Policies - Password Enforcement
    ... Password Policies are domain wide and can only be setup at once for each ... >>Christoffer Andersson ... >>> I'd like to apply Account Policies to enforce password ... >>> command, and I replicate, but the settings don't take. ...
    (microsoft.public.win2000.active_directory)
  • Re: starting over with GPO
    ... i.e like password policy. ... You cannot apply security policies at the OU level. ... Create a default domain policy with the account policies (password, ...
    (microsoft.public.windows.group_policy)
  • DC GPO - password policy not enforced
    ... I have changed some files system security and suddenly ... The password policies settings are still in the GPO file. ... All policies including security, auditing, file system, registry, etc ...
    (microsoft.public.win2000.group_policy)