GPO special case user account options and inheritance question

D

djc

I understand that account options like password policies, and account
lockouts, etc... configured at the domain level are the only user account
policies actually applied... meaning if a lower level container had a
conflicting policy configured it would not change the domain level one...

1) please correct me if I'm wrong with my statement above
2) if a lower level container has the Block Policy Inheritance option set
will the domain level user account policies still be applied? or would the
Block Policy Inheritance actually block them?

any info is appreciated... thanks.
 
K

Kevin Sullivan

1) you are correct with your first statement. One piece of clarification.
Account policy configuration applied at any level (OU) below the domain
level will configure the 'local account policy settings'. This means if a
computer account is the recipient of the account policy applied at a level
other than the Default Domain Policy the settings will take affect when
logging on locally.
(http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
s/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prdp_
log_csiq.asp)
2) Block policy inheritance should not block the domain level account
policies. I have not tested this but believe this to be true. I am curious
if anyone finds different information.
(http://support.microsoft.com/default.aspx?scid=kb;en-us;255550) I think one
main point here is that Domain Controllers behave a bit differently than
other systems on the network. Since they share the NTDS.dit and there needs
to be a mechanism to ensure consistency across these replicas.

HTH

Kevin
AutoProf
http://www.autoprof.com/policy
 
D

djc

Thanks Kevin... I'll check out the links you provided as well. I have a
related question though:
When policy is applied to a computer account and effects the machines local
policy when logged on to locally as you stated before in your
clarification... does this local policy still take effect when the machine
is not connected (physically unplugged) to the network?

thanks agian.
 
K

Ken B

If it applied, it should always apply until changed, or the computer is
dis-joined from the domain.

Ken
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Block Policy Inheritance not working as anticipated 4
Default Domain Policy -- Password Changes 1
Block inheritance for Account Policy 2
Password Policy 3
Group Policy Not Being Applied?? 11
GPO's 1
GP do not take effect 4
GPO won't apply "Password Policy" to DC 2

Top