GPO Questions?

[Guest]

There is one domain with one "OU" . The Domain contains the Default GPO.
That GPO has password restrictions set. The bosses want different password
policies set for them. A new OU was created for the bosses, however, the
security policy seems to overwrite the settings. Rather than create a whole
new domain, is there any other way to set that up?

 

[Danny Sanders]

No. Differing password policies is one major reason for creating a second
domain.

If the domain has resources that require a strict password policy, setting a
less strict password policy on "part" of the domain is just creating a
security hole.

hth
DDS W 2k MVP MCSE

 

[Andrew Mitchell]

There is one domain with one "OU" . The Domain contains the Default
GPO. That GPO has password restrictions set. The bosses want
different password policies set for them. A new OU was created for the
bosses, however, the security policy seems to overwrite the settings.
Rather than create a whole new domain, is there any other way to set
that up?

Domain password policies are applied to the domain controllers, not users.
It is not possible to have different domain password policies for different
groups of users on the same domain.

 

[Herb Martin]

Domain password policies are applied to the domain controllers, not users.

No, they are applied at the DOMAIN only.

It is not possible to have different domain password policies for different
groups of users on the same domain.

Correct.

Security Account policies are only effective at the domain
level and you cannot have different Password, Lockout,
or Kerberos on an OU.

 

[ptwilliams]

Domain password policies are applied to the domain controllers, not

No, they are applied at the DOMAIN only.

No, they ARE applied only to the DCs* (which, in one way of thinking is the
domain). You setup the GPO at domain level, but only the DCs apply this
part of the policy. You authenticate against a DC - the DC processes this
policy so it affects authentication.

Of course, you can deploy this to an OU, but in doing so all you are doing
is configuring the policy against each machine (which means local users have
this restriction).

* They may be applied to all computer objects (I can't remember off the top
of my head), but you only authenticate against DCs, so this is irrelevant.


--


Paul Williams
_______________________________
http://www.msresource.net


Join us in our free, public forum:
http://forums.msresource.net
_______________________________

Domain password policies are applied to the domain controllers, not users.

No, they are applied at the DOMAIN only.

It is not possible to have different domain password policies for different
groups of users on the same domain.

Correct.

Security Account policies are only effective at the domain
level and you cannot have different Password, Lockout,
or Kerberos on an OU.

 

[Herb Martin]

No, they ARE applied only to the DCs* (which, in one way of thinking is the
domain). You setup the GPO at domain level, but only the DCs apply this
part of the policy. You authenticate against a DC - the DC processes this
policy so it affects authentication.

You LINKED the GPO to the Domain -- if you LINKED it to
the DC OU it will NOT take effect.

No, you must link and apply the GPO to the domain to affect
the THREE "Security Account Policies": Password, Lockout,
and Kerberos.

 

[ptwilliams]

Yep, I agree there <g>

That's what I was saying, wasn't it?? You apply (link, using official
terminology) to the domain but only the DCs grab it.

Our friend and fellow poster said as much, without going into specifics -
that this is a policy that affects DCs *NOT* users (directly); only
indirectly through normal authentication (which happens not on the local
box).

I guess we're all arguing the same thing here...

;-)

--

Paul Williams
http://www.msresource.net


Why not join us in our free, public forum?
http://forums.msresource.net
______________________________________

No, they ARE applied only to the DCs* (which, in one way of thinking is the
domain). You setup the GPO at domain level, but only the DCs apply this
part of the policy. You authenticate against a DC - the DC processes this
policy so it affects authentication.

You LINKED the GPO to the Domain -- if you LINKED it to
the DC OU it will NOT take effect.

No, you must link and apply the GPO to the domain to affect
the THREE "Security Account Policies": Password, Lockout,
and Kerberos.

 

[Herb Martin]

That's what I was saying, wasn't it?? You apply (link, using official

terminology) to the domain but only the DCs grab it.

No, you were correcting my post which correct the following line:

"Domain password policies are applied to the domain controllers"

Any notion of applying the policy to the DCs is at best misleading
to someone who already misunderstand the problem.

 

[ptwilliams]

Any notion of applying the policy to the DCs is at best misleading to

someone who already misunderstand the problem.

True. It's one of those areas that takes some describing and explaining.

And there was no offence intended, either.

It's simply one of those things...when describing it abstractly you are only
applying to DCs, as DCs apply the policy. It seemed to me that the poster
new what was what, and was trying to aid the other posters understanding of
this. But, as you say, it could also confuse as you do have to link it to
the domain not the domain controllers.


--

Paul Williams
http://www.msresource.net


Why not join us in our free, public forum?
http://forums.msresource.net
______________________________________

That's what I was saying, wasn't it?? You apply (link, using official
terminology) to the domain but only the DCs grab it.

No, you were correcting my post which correct the following line:

"Domain password policies are applied to the domain controllers"

Any notion of applying the policy to the DCs is at best misleading
to someone who already misunderstand the problem.