Password Policy & GPO Settings

[Veets]

Hello,
We're running a Windows 2000 domain & I have a few questions about the
domain password policy settings.
I'm familiar with the GPO inheritance order -> Local -> Site -> Domain
GPO -> OU
I've read however, that you can only have 1 password policy setup for your
domain which is defined at the default GPO (I read it in the following
article ->
http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/enforce_strong_passwords.mspx)

As far as I understand it, what this means is that even if you define a new
password policy on an OU, it will not work since the OU will 'pick up' the
default GPO password settings? Is this correct? Also, will the default GPO
settings override the 'Account Lockout Policy' & 'Event Log' options of the
new OU as well?
If I'm right, does this mean that I'll need to create a new domain to get
around this problem?
I hope my questions are clear enough.
Any input is greatly appreciated. TIA
Best regards,
Veets

 

[Paul Bergson]

Domain Account settings are all that apply for users. If you set policies
up for users at an OU level it will be ignored. Local is a different story
but it only effects user authenticating to there local machine and has no
effect on the domain.

If you want to implement multiple password policies you can pick up a third
party product. We use Password Policy Enforcer but there are many different
ones available. Just search on password policy with your web search engine.

 

[Veets]

Thanks for replying Paul but I'm not exactly sure what you mean in your
first paragraph. Can you elaborate a little?
Best reagrds,
Veets

 

[Paul Bergson]

User account password policy settings are only applied at the domain level.

Default Domain Policy / Computer configuration / windows settings /
security settings / account policies / password policy

If you go to an ou below the domain ou and define / Computer configuration
/ windows settings / security settings / account policies / password policy
it won't be applied to a domain account

 

[Veets]

Thanks Paul, that makes sense. Guess I should have scrolled down a bit to
see the post by Sunnie entitled 'Group Policy question...'
Thanks again
Regards,
Veets

 

[=?iso-8859-1?Q?Javier_Ingl=E9s_=5BMS_MVP=5D?=]

Hi, another possibility is use the security tab and deny the access to one GPO, with this, some groups can have one domain password policy and other groups can have another policy

--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho

 

[ptwilliams]

I can't see how this is the case?!? As password policy is applied to Domain
Controllers not domain members. Therefore filtering doesn't come into it.
The password policy applies to the DCs as they perform the authentication.
The policy is nothing to do with users or computers, only how a DC handles
aspects of authentication.

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Hi, another possibility is use the security tab and deny the access to one
GPO, with this, some groups can have one domain password policy and other
groups can have another policy

--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no
otorga ningún derecho

 

[=?iso-8859-1?Q?Javier_Ingl=E9s_=5BMS_MVP=5D?=]

No, a password policy is for DOMAN, not for DomainControllers; you must specify your password policy in the domain security settings, not domain controller security settings ;-))

I have some domains in this mode and function very well )

--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho

 

[ptwilliams]

I was under the impression that you can link/ apply the GPO to either the
DDP or the DDCP???

However, what I was trying to say was that these changes are only
appropriate to DCs - as it's the DCs that do the authenticating. When the
clients then authenticate, these changes are in effect because they are
applied to the authentication method (the DCs); not to the actual computers.


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


No, a password policy is for DOMAN, not for DomainControllers; you must
specify your password policy in the domain security settings, not domain
controller security settings ;-))

I have some domains in this mode and function very well )

--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no
otorga ningún derecho

 

[=?iso-8859-1?Q?Javier_Ingl=E9s_=5BMS_MVP=5D?=]

I apply the GPO at domain level policy, an after, in their security tab, i filter the scope of the GPO:

Filtering the Scope of a GPO

http://www.jsiinc.com/SUBM/tip6400/rh6420.htm



The Dc's do the authentication, of course ;-), but in base to the domain policy setting for the acoount policies


--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho

 

[ptwilliams]

I don't understand what you are saying. I understand GPO filtering, but
don't see how you can filter password policy, based on groups of computers,
when the password policy isn't actually processed by the local machine,
unless you logon to the local machine with a local (non-domain) account??

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


I apply the GPO at domain level policy, an after, in their security tab, i
filter the scope of the GPO:

Filtering the Scope of a GPO

http://www.jsiinc.com/SUBM/tip6400/rh6420.htm



The Dc's do the authentication, of course ;-), but in base to the domain
policy setting for the acoount policies


--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no
otorga ningún derecho

 

[=?iso-8859-1?Q?Javier_Ingl=E9s_=5BMS_MVP=5D?=]

No, you filter in base of group's of user.

You can probo; create one group of user's with a password policy and make the filter

Create another group and another password policy and make the filter.

Now, you can have some users with certain password policy and another users with other policy

--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho

 

[ptwilliams]

Does anybody else have an opinion on this?

I respect Javier Inglés opinion -he didn't become an MVP for nothing, but
simply don't agree that this can be done (for domain accounts - obviously it
can for local ones)... ;-)

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


No, you filter in base of group's of user.

You can probo; create one group of user's with a password policy and make
the filter

Create another group and another password policy and make the filter.

Now, you can have some users with certain password policy and another users
with other policy

--
Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

e-m@il:[email protected]
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no
otorga ningún derecho

 

[Steven L Umbach]

For domain users password policy can only be defined at the domain level and
will be ingnored at all other levels [OU/local] for domain users. The domain
controllers read the policy from only domain level and blocking inheritance
on the domain controller container will actually prevent changes from
password/account policy happening. See the link below for more info. This
subject seems to be the source of great confusion. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;259576

 

[ptwilliams]

Thanks! That's what I've been trying to say (except I thought you could do
this using either the DDP or the DDCP).

If you filter this, it will apply to the local LSA on PCs and wont affect
domain users.

It only applies to DCs and therefore cannot be filtered.

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


For domain users password policy can only be defined at the domain level and
will be ingnored at all other levels [OU/local] for domain users. The domain
controllers read the policy from only domain level and blocking inheritance
on the domain controller container will actually prevent changes from
password/account policy happening. See the link below for more info. This
subject seems to be the source of great confusion. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;259576