Re: Account Policys - Inheritance or not ?

From: Wes (wes.kjc_at_online.ntlworld.com)
Date: 09/15/04 

Date: Wed, 15 Sep 2004 22:06:56 +0100

Hi Steve,

I understand that all domain controllers receive their Account policy
settings at the domain level, irrespective of where the computer object is
located in Active Directory. This is to ensure that all domain accounts are
enforced consistently.

All other computers receive their Account policy settings for local accounts
following the normal GPO hierarchy. Therefore, if there is another GPO that
overrides the default settings at a lower level, then those settings will
take effect on those local accounts but not to the domain accounts. Only
Account Policy settings configured at the domain level will actually apply
to domain users.

Kind regards,

Wes

"Steve Bruce, mct" <steve@xmaslake.com> wrote in message
news:eQyvN4pmEHA.592@TK2MSFTNGP11.phx.gbl...
> Just looking for feedback:
>
> On another newsgroup there was a debate about whether Account policies are
> a domain property that cannot be successfully modified at the OU level.
>
> The Microsoft Official Curriculum says "If you need 2 account policies,
> you need 2 domains".
> A MSFT person on the other newsgroup agreed with the Curriculum
> A user says he has succesfully set different policies at the OU level
>
> We ran a careful test today:
>
> The Results: You can set more restrictive account policies than the
> domain policies at the OU
> level, and they take effect.
>
> Less restrictive account policies set at the OU level are overwritten by
> the
> domain policy.
>
> Specifically - an example
> DOMAIN Password Length = 8
> OU Password Length = 10
> RESULT 10 is enforced
>
> DOMAIN Password Length = 10
> OU Password Length = 8
> RESULT 10 is enforced
>
> Can anyone explain why Microsoft seems to say one thing and the behavior
> is different . . . are we missing some something?
>
>
>
>

Relevant Pages

  • Re: Should programs install to All Users, Default User, or Me?
    ... > ...where you have to duplicate settings to each account by hand. ... well - - - everything visible in Admin as I have in woody! ... For now I reset the basics and log'd out of admin and back into woody, ...
    (microsoft.public.windowsxp.general)
  • Update has created havoc
    ... Settings" and then copy everything from one account to the other. ... profile after creating a new user. ... data that I had under my original user. ...
    (microsoft.public.windowsupdate)
  • Re: Problem: New Identity Changes Settings on Main Identity
    ... > In my example the "Alan" identity is the main identity. ... >>> Account Name: alan@alansdomain.com ... >>> Now I want to add an additional identity for "Bill". ... I find that Alan's settings are now all changed to ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Can you back up mail account settings in Outlook 2007?
    ... Thank you for clarifying about the registry key paths etc. ... its original factory settings, in order to determine whether an issue I have ... Outlook Express did- but it is not the same program as Outlook. ... two letters of every password for every account on both profiles. ...
    (microsoft.public.outlook)
  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)
Loading