=?Utf-8?B?UGF0cmljayBS?= says...
If I'm reading this right, password policies cannot be changed at OU level.
Does this mean that Sub-domains take their policies from higher level domains?
What other policies does this affect? Is it everything under account policies?
Password Policies are set in the GPO underneath Computer Configuration and
therefore do not apply to domain user accounts but to local user accounts. The
Password Policies for domain user accounts have to be set in the default domain
policy. And yes, that behavior applies to all Subkeys of Account Policies.
Also if anyone from Microsoft is out there, why is there nothing on this subject in
ANY of your documentation?
I'm not MS, but this is mentioned in _a lot of_ documentation. Every guide
about how to design your domain structure mentiones that if different password
settings are required you need to put those users in a different domain.
It's even mentioned in MOC-Courses, Self Study Kits, the Resource Kit and I've
seen this questions in a couple MCP-Tests.
And out of "Designing Active Directory":
"Another reason to create more than one domain is to support multiple domain
policies. Domain policy is different from a normal Group Policy in several
ways. Windows 2000 domain policy affects every user in the same domain. In a
single Windows 2000 domain you have no way, for example, of giving one group of
users a Minimum Password Age setting that is different from another. If you
need to support several different domain policies, you have no option but to
create multiple domains."
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/activedi.asp
Gruesse - Sincerely,
Ulf B. Simon-Weidner