Default Domain Policy

[Guest]

Hello,

I configured a password policy within the Default Domain Policy. This has
replicated out to my DC's and is now affecting some users that I don't want
the policy applied to.

Since this is a Domain Policy its applied prior to the OU policies so theres
no way for me to block it from the OU that contains the users I want
excluded. Correct?

If I wanted to apply a password policy to a specific OU I'd just have to
create a new GP with the password policy, apply it the proper OU and block
the inheritance for my other OU's. Correct?

Also is there a way to reset the account lockout policy after its been
configured by the default domain policy?

I've disabled my password and account lockout policies within the Default
Domain Policy but it appears that my seats are retaining the account lockout
settings. I've used GPresult.exe and it doesnt show the default domain policy
on the list of applied GP's. Any ideas how I can get around this?

Any help is greatly appreciated.



-- Rob
IT guy!

 

[Miha Pihler]

Rob,

Password (account) policy can only be applied on Default Domain Policy (only
at domain level). If you need a different policy for different users you
will need two domains.

If you create a policy on OU it will only have an effect on local accounts
(not domain account) on computers in the OU where policy is set...

Account and local policies
http://www.microsoft.com/resources/...3/standard/proddocs/en-us/sag_sceacctpols.asp

Policies are processed in this order. Local, Site, Domain and OU. If you set
e.g. green background in domain policy and blue background in OU policy last
policy (blue) would prevail. If OU policy does not define background then
domain policy would be defining and the background would be green. Some of
these options can be changed by using Block policy inheritance or No
Override

Group Policy
http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsec_pol_BLSA.asp

I hope this helps,

Mike

 

[Guest]

Thanks for the help.....

So I want to pull the changes out that I made to my Default Domain Policy.
I've set the settings in the Password & Accounts policy to 'not defined'. But
it appears that the settings are still in effect even after a reboot of the
client station. After multiple failures my accounts are still getting locked
out, and new passwords have to meet the complexity requirements even though
i've changed the Default Domain Policy back to 'not defined'.

Any ideas?

 

[Miha Pihler]

Hi,

If you don't want to require a complex passwords and you already enabled the
policy don't set it to "not defined". Set the policy to "Disabled".

Mike

 

[Guest]

OK, I disabled the settings in the Default Domain Policy and i'm still
getting problems. So I loaded up the MMC Security Analyzer to see what
settings were enabled on my DC. It looks like I need to get the DC to refresh
its policy. I tried using "secedit /refreshpolicy machine_policy" but that
didnt refresh the default Domain Policy for the DC. Is there a way to do this
or do I have to reboot?

So my theory here is the DC is authorizing user accounts so its settings
take precedence and need to be changed in order to role back my password
policy deployment.

 

[Guest]

Miha,

Just wanted to say thanks I finally worked this out.

I had to create and apply a new security template and use the mmc security
analyzer snapin to apply it to the DC's on my network. This reset the
Password and Account lockout policies hence reversing my problem. Thanks for
all your help I learned alot. -Rob