Password policy, no override

[Guest]

My default domain policy's computer settings, (min password length, lockout
duration, etc.) kept being set back to their old settings a few minutes
after modifying them. It wasn't until I checked the enforced checkbox on the
gpo that the default domain policy computer settings remained changed
permanently. Strangely enough, the computer portion of the GPO remained
unchanged, the login banner. I don't understand why checking the enforced,
no override, box fixed the problem, or why it was a problem to begin with. I
also recently experienced the same problem, and solution, at a bottom level
OU policy in the computer settings of a GPO.

thank you,
Bill

 

[Guest]

Bill

password policy should only be set on your default domain controllers policy
not you default domain policy.

Regards

 

[Guest]

I seem to keep finding different methods regarding the password policy.

http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/strngpw.mspx

I understand that all users login by using the services of the domain
controllers, but the note above clearly tells you to use a policy at the
domain level. I've checked the password policy at my domain controllers OU,
and none of the settings are defined, which doesn't explain why my default
domain policy was being reverted to its previous settings.

 

[Guest]

Hi Bill

I can understand that it can get a little confusing. try using gpresult to
find out which policies are being applied and from where.

Users log onto domain controllers setting password policies on domain
controllers ensures that domain logins are defined for authentication to the
domain purposes.

Read the following article on setting up passwod policies.

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/win2kpol/w2kadm05.mspx

 

[Cary Shultz [A.D. MVP]]

The AD Designer,

Not sure that I agree with this. I have always set Password Policies in the
'Domain Security Policy'.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Interesting, because this line appears in the note you provided:

2. Select Password Policy.

In the results pane, notice that a Password Policy is not defined in the
default DC GPO, because password policy is defined for the entire domain in
the default domain GPO.

So I'm still not sure what policy could be overriding my top level default
domain GPO. How is that possible? Even if there is a password policy
further down the AD tree, the settings are supposed to flow down, I shouldn't
need to set the no override tab on a default domain policy.

 

[Cary Shultz [A.D. MVP]]

Bill,

It is not possible. The AD Designer misread that! I have always done it in
the Domain Security Policy!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

I dont think that there is a "domain securiy policy" available..

As for where the policy is coming from you will need to run gpresult.

 

[Guest]

gpresult tells me my user account is receiving settings from the default
domain policy, but it doesn't tell me why my default domain policy, directly
beneath the domain OU, is being overwritten.

 

[Cary Shultz [A.D. MVP]]

I would look very carefully. It is very much available and very much the
one to use! Not sure what else to tell you other than to open up the
Administrative Tools and make sure that things are listed alphabetically.
Do you still not see it? Where are you looking? On a Domain Controller
directly? on a Domain Controller via RDP? on a Domain Controller via some
version of VNC? or better, on a workstation with the Adminpak installed?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Hi bill

It will have more than just one even if you only have a domain policy set.
Policies in general follow the following order. and each is inherited from
above. if i set a policy on site, then change the same setting on domain the
domain policy is in effect(thus over written).

local
site
domain
ou

I just finnished two huge projects (one have 500,000 nodes and another
18,000)where the password policies were set on the domain controllers policy
and it worked as on the tin. setting a policy domin wide would impact users
who have computers in a domain but log in locally to a pc. Remember password
policy is on the computer object not the user. set the password policy on the
domain controllers policy this ensures all AD user objects are effected by
the policy.

 

[Cary Shultz [A.D. MVP]]

The AD Designer,

Again, I would disagree with setting the password policy on the Default
Domain Controller Policy. It should be set in the Domain Security Policy.

And setting a password policy at the domain level ( which is what we are
doing with the Domain Security Policy ) will not affect users logging in
locally on the machines ( assuming that they are using a local user account
and not the Domain user account object ). The only way to set a password
policy to affect the local user accounts is to create a GPO at the OU level,
linking it to the OU that contains the computer account objects. Doing so
will not affect users logging on with the Domain user account object but
will affect users logging on with local user accounts.

Sorry, I am just not sure from where you have your information?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Glenn LeCheminant]

I feel I must chime in here to clear up any confusion.
DCs will ignore any password policies you set at the domain controller
container.
password policies, account policies, kerberos policies, (and a couple other
individual settings) must be configured in a GPO that is linked to the
domain container.
This is because MS does not want to assume you will keep your DCs in the
default DC container, and MS must guarantee consistent security policies
across all DCs in a domain. The only way to achieve this guarantee is to
force certain settings to be linked to the domain container for DCs to read
and apply them.

Also, like Cary indicated, if you are interested in controlling the
passoword policies for local accounts on workstations and servers, then you
must setup an OU for those systems and configure and link a GPO with those
settings to the OU.

 

[Guest]

Cary

You are correct in sating the the default domain policy should be used for
setting password policies. However Password policies are set on computer
configuration part of the policy. This means that when a computer which is
joined to the domain it will get this policy regardless of whether the user
is logging onto the domain or logging on locally. This is why when a system
is booting up and the LSASS service (LSASS.exe,LSASS.DLL) starts it applied
policies from the domain in which it is joined to. This information can be
found in the Windows 2003 internals book page 489 security.

Regards

 

[Cary Shultz [A.D. MVP]]

I was going to add another post to this thread last night but was simply too
tired ( with a little little one and another on the way that happens! Momma
is really tired so Poppa has a lot of stuff to do - in addition to what he
already does......).

Did some thinking about your idea of using the Default Domain Controller
Policy for setting the password policy. And my hard-headedness on using the
Domain Security Policy ( or Default Domain Policy ).

You are correct that the password is really a computer thing ( while most
people without thinking would tell you that it is a user thing! ) and that -
by setting it at the DDCP - you are really telling the Domain Controllers
what type of password they will accept ( and, by definition, what they will
not accept ).

In WIN2000 I am not sure that I would use the DDCP for this. I did look
this up in a couple of books that I have sitting on the shelves ( and I was
glad to do that....they were getting really dusty! ). Nowhere could I find
anything about using the DDCP for doing this. Now, that does not mean that
you can not! If you are that adamant that you have successfully done this
using the DDCP then who am I to tell you that you have not! I believe you
on this. Even if it were 50 users and 18 users ( and not 500,000 and
18,000 = sounds like something that Joe R would be doing! ). Now, the
interesting thing comes with WIN2003. I did a google of the 'Domain
Security Policy' and there is a link ( at the top of the results page ) with
the following:

http://support.microsoft.com/kb/q221930/

And by using 'password policy' you get the following ( both WIN2000 and
WIN2003 ):

http://www.tacktech.com/display.cfm?ttid=354
http://windows.about.com/od/security/l/aa000910a.htm
http://www.microsoft.com/technet/pr...Kit/041728b4-5ed9-44a8-99fe-c050333d4245.mspx

These would seem to suggest that you would indeed set the password policy
( and a few other things ) at the Domain Security Policy. The two books
that I referenced suggested this as well.

However, for WIN2003 things look a little differently!

I can not find the page on the Microsoft web site but there were clearly two
options: the Default Domain Policy -OR- the Default Domain Controller
Policy.

So, I am going to have to play with this a little bit.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Hi Cary

I tend to read resorce kits and they provide with engine information as
opposed to administration information at a higher level.

Ps I was right in saying 500,000 (largest Ad project on the UK) and 18,000
user projects.

Yours
The AD Architect

 

[Guest]

I appreciate everyone's insight, it was educational. I believe I finally
realize why my settings were being overwritten. Someone from another site
thought it was a good idea to link the default domain policy GPO to a buried
OU. My guess is that replication was from that OU was overwriting the
settings at the domain level and not until setting the no override did the
settings at the domain level overwrite the settings further down the
heirarchy.

thank you

 

[Cary Shultz [A.D. MVP]]

The Resource Kits are really good! And please do not think that I was
challenging your numbers. Gonna play with this for a little bit! I am
always willing to learn a different approach to things, and if that
'different' approach is better than the 'prescribed' way then so much the
better!

Also not too proud to admit when I am wrong! And to give credit where
credit is due.

Playing in the lab right now to see what happens!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com