Password policy + last user name

[Liam]

Hello,

I have two probs which need enlightening:

1) I need to set account policies on the domian, ie.
minium passowrd length, password lenght etc. I know this
can be done on the default domain policy but don't want it
to affect the admin acconut. Is there a way to do this
without having the details affect the administrator
account...? could I move the account into a container and
block inheritance permissions..?

2) I've set by GPO on the default domian policy and domain
controller policy to 'do not display last user logon name'
but this isn't working, the last user name is still
displayed, any ideas..?

3) another question...does auditing set on domain polices
overide auditing policies on local machine...?
When auditing (let's say c:\) if you select the groups you
wanna audit, does that mean the users in the group will be
audited depending on the auditing criteria you set..?

sorry for all the questions, obliged if you could help

Justin

 

[Keith W. McCammon]

1) I need to set account policies on the domian, ie.

minium passowrd length, password lenght etc. I know this
can be done on the default domain policy but don't want it
to affect the admin acconut. Is there a way to do this
without having the details affect the administrator
account...? could I move the account into a container and
block inheritance permissions..?

This is only my opinion: Of all the accounts on your network, the
(e-mail address removed) accounts should have the most complex password of
all. Why on earth would you want to exempt this account from a strong
password policy?

2) I've set by GPO on the default domian policy and domain
controller policy to 'do not display last user logon name'
but this isn't working, the last user name is still
displayed, any ideas..?

Try running the resultant set of policy snap-in via the MMC. This should
tell what's actually being pushed.

3) another question...does auditing set on domain polices
overide auditing policies on local machine...?
When auditing (let's say c:\) if you select the groups you
wanna audit, does that mean the users in the group will be
audited depending on the auditing criteria you set..?

If you set the lower-level OU to block inheritince, it should not be
over-ridden. I may be mistaken, but I think password policy is the only
thing you can't override.

 

[ptwilliams]

The Password policy cannot be overridden or blocked. It applies to the
domain controllers, not individual computers or users.

The DontDisplayLastUserName is a user specific policy; this means that from
the time of the changed GPO reaching the DCs you will have to either wait 90
mins, or logoff and logon again.

The auditing policies will overwrite the policies defined in a LGPO.
However, actual auditing set via the security tab wont change (unless you
disable or turn off that aspect of auditing)



--

Paul Williams
_________________________________________
http://www.msresource.net - Under construction, but coming soon...


Join us in our new forums!
http://forums.msresource.net
_________________________________________