OU vs. Domain GPO's

[John J. Rambone]

I have created an OU for 1 user. I have locked down the OU so the only
thing that appears is a start menu and IE and IE is locked down to only go
to 1 address inside the company. I want the 1 user to have a blank
password, but I have complex password defined for my Domain. I thought the
OU took precedence over the domain gpo. Is there a work around for this?

John J.

 

[Bruce D. Meyer]

Just remember this:

LSDOU

Local
Site
Domain
OU

(LSDOU) That's the order of inheritance.

The LAST on to be applied, wins. (We won't get into to Blocked Inheritance,
and filtering)

Bruce Meyer

 

[Cary Shultz [A.D. MVP]]

John,

No, password policy is set at the domain level. And there can be only one.
If you set a password policy at the OU level it will not affect the users,
it will affect whatever computer account objects ( local accounts
passwords ) might be contained in that particular OU.

The only way that I could think that this *might* work would be to undo the
password complexity setting and create the user account with the
userAccountControl attribute set to '66048' ( the 'Password never expires'
checkbox checked - maybe use ldifde to create the user account? ) and then
later reset the password complexity. Not really sure that you want to start
messing with this, though. I am not sure that I understand why you would
want to have this nice password policy / complexity for the entire domain
and then have one account that would be vulnerable. What are you trying to
do with this one account.

BTW - you are correct in that *typically* the pecking order for GPOs is
Local, Site, Domain and OU. However, as this is a password policy it is
specifically set at the domain level ( either via the Default Domain Policy
or the Domain Security Policy - either one works ).


HTH,

Cary

 

[John J. Rambone]

Well, we have a web based time clock program that is used by people in the
company that do not have computers. I have setup a kiosk machine here and
there (different sites), but there are a few locations where it makes sense
so use for example the warehouse computer, etc. On those computers I've
setup a local user just so people can login to and punch in and out for
work. (issue is people forget to change form domain to local computer and
back again). I was hoping to move away from local users and setup a domain
user with a locked down setup. I just wanted the password to be blank.
Another issue is a user will leave their computer open and then non-computer
user will go the website to clock out or in and start surfing on that
computer.

These issues are user education related, etc. Just trying to save myself a
phone call or two every now and then.

 

[Chriss3]

John if you have the option for security reasons may deploy another domain
or a child domain since password policies are domain wide. Workstations are
available to login to multiple domains. Other wise you can use auto login,
but I don't recommend that personally.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup