Default Domain GPO

G

Guest

Hi

I hope someone can help me. I am re-structuring the AD within a small company. The Default Domain GPO has been active for approx 12 months with only a couple of setting, password length and lockout duration. I have decided on new new policy and have created a Test Domain GPO. I have removed authenticated users and applied a DSG with a couple of users. Some of the policies work, i.e. the password protected screen saver, items removed from desktop etc, but things like the Warning Message, prompt to change password and account lockout are not.

I understand that passwords can only be set at the domain level, so thought by applying a second Domain GPO I would be able to test this without affecting all the authenticated users.

Could someone please let me know what I am doing wrong?
 
C

Chriss3 [MVP]

You are right about the password policy only applies to domain users when
they are linked to the domain, how ever only the first listed policy linked
to the domain applies the password policy for domain users, there can't be
multiple policies.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

ITLush said:
Hi

I hope someone can help me. I am re-structuring the AD within a small
company. The Default Domain GPO has been active for approx 12 months with
only a couple of setting, password length and lockout duration. I have
decided on new new policy and have created a Test Domain GPO. I have
removed authenticated users and applied a DSG with a couple of users. Some
of the policies work, i.e. the password protected screen saver, items
removed from desktop etc, but things like the Warning Message, prompt to
change password and account lockout are not.
I understand that passwords can only be set at the domain level, so
thought by applying a second Domain GPO I would be able to test this without
affecting all the authenticated users.
 
G

Guest

Thanks Chris

So if I make the test domain policy the highest priortiy this should work?
 
C

Chriss3 [MVP]

Yes

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
K

Kevin Bowersock

While you can do it remember that the policy at the domain level will
affect all domain users.

(e-mail address removed)

This posting is provided "AS IS"
with no warranties, and confers no rights
--------------------
| From: "Chriss3 [MVP]" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Default Domain GPO
| Date: Mon, 2 Aug 2004 19:33:37 +0200
| Lines: 62
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: h134n2fls31o1008.telia.com 217.209.142.134
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP0
8.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.win2000.active_directory:86611
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Yes
|
| --
| Regards
| Christoffer Andersson
| Microsoft MVP - Directory Services
|
| No email replies please - reply in the newsgroup
| ------------------------------------------------
| http://www.chrisse.se - Active Directory Tips
|
| "ITLush" <[email protected]> skrev i meddelandet
| | > Thanks Chris
| >
| > So if I make the test domain policy the highest priortiy this should
work?
| >
| > "Chriss3 [MVP]" wrote:
| >
| > > You are right about the password policy only applies to domain users
| when
| > > they are linked to the domain, how ever only the first listed policy
| linked
| > > to the domain applies the password policy for domain users, there
can't
| be
| > > multiple policies.
| > >
| > > --
| > > Regards
| > > Christoffer Andersson
| > > Microsoft MVP - Directory Services
| > >
| > > No email replies please - reply in the newsgroup
| > > ------------------------------------------------
| > > http://www.chrisse.se - Active Directory Tips
| > >
| > > "ITLush" <[email protected]> skrev i meddelandet
| > > | > > > Hi
| > > >
| > > > I hope someone can help me. I am re-structuring the AD within a
small
| > > company. The Default Domain GPO has been active for approx 12 months
| with
| > > only a couple of setting, password length and lockout duration. I
have
| > > decided on new new policy and have created a Test Domain GPO. I have
| > > removed authenticated users and applied a DSG with a couple of users.
| Some
| > > of the policies work, i.e. the password protected screen saver, items
| > > removed from desktop etc, but things like the Warning Message, prompt
to
| > > change password and account lockout are not.
| > > >
| > > > I understand that passwords can only be set at the domain level, so
| > > thought by applying a second Domain GPO I would be able to test this
| without
| > > affecting all the authenticated users.
| > > >
| > > > Could someone please let me know what I am doing wrong?
| > >
| > >
| > >
|
|
|
 
G

Guest

Thanks Kevin

I want to test it only a small group of user, can I secure if with a DSG and remove authenticated?
 
G

Guest

Hmmm, I tried this and it doesn't work?!

Chriss3 said:
Yes

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top