RE: [ActiveDir] Account Policies
If I recall in addition it is: 0 Legacy Policies (such as ADMs) 1 local policies 2 GPOs at site level 3 GPOs at domain level 4 GPOs at OU level and lower levels Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 27 June 2005 21:44 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Policies the order is: 1 local policies 2 GPOs at site level 3 GPOs at domain level 4 GPOs at OU level and lower levels cheers #JORGE# From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] Account Policies
Oupsss.. sorry Mark and Robert I will carefully read what people write before posting a notice :-) Great day all :-) Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: lun. 27/06/2005 21:56 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies You see in his mail below the following: Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU When you are logging in using a domain account, the domain account policies are applied...when you log on using a local machine account on the machine in OU, then the account policy applied to OU are applied. I hope that makes sense... Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Account Policies
the order is: 1 local policies 2 GPOs at site level 3 GPOs at domain level 4 GPOs at OU level and lower levels cheers #JORGE# From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Policies
Yann, As Jorge stated "Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU" Mark _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 27 June 2005 20:45 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann _ De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Account Policies
Title: RE: [ActiveDir] Account Policies You see in his mail below the following: Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU When you are logging in using a domain account, the domain account policies are applied…when you log on using a local machine account on the machine in OU, then the account policy applied to OU are applied. I hope that makes sense… Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED]] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] Account Policies
Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Account Policies
With the setup you show us the following applies Domain OU - 14 Days -> applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days -> applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days -> applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups This has mentioned several times on the list but one more time... Password policies are applied to the domain controllers which update the domain NC head with the info. There are specific attributes on the head that control password aging, length, lockout values, etc. You can do anything you want to the user and they will be impacted by the account policies because they all do their thing through the domain controllers. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, February 17, 2005 11:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Account policies and groups Yes, the password policy will still apply to that user - it applies to every object in the domain, regardless of block inheritance settings. Roger SeielstadE-mail Geek & MS-MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Thursday, February 17, 2005 6:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn’t have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters & AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups Yes, the password policy will still apply to that user - it applies to every object in the domain, regardless of block inheritance settings. Roger SeielstadE-mail Geek & MS-MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Thursday, February 17, 2005 6:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn’t have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters & AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] Account policies and groups
The key here is that policy is only processed by user and computer objects, but its effect can be filtered by security groups (and WMI queries). So, in this scenario, putting block inheritance on the OU where the user object resides would prevent the user from receiving upstream GPOs, even though the user's group resides elsewhere. From: [EMAIL PROTECTED] on behalf of Passo, Larry Sent: Thu 2/17/2005 8:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups But group membership can determine which GPOs get applied if you are using GPO filtering. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 17, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called "OU policies", wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Thursday, February 17, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn't have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> W: www.TBandA.com <http://www.TBandA.com> Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map <http://www.multimap.com/map/browse.cgi?client=public&db=pc&cidr_client=none&lang=&pc=LS27JL&advanced=&client=public&addr2=&quicksearch=ls27jl&addr3=&addr1=> Groupshield 6.0 - Troup Bywaters & Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. <>
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups But group membership can determine which GPOs get applied if you are using GPO filtering. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 17, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called "OU policies", wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Thursday, February 17, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn’t have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters & Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called "OU policies", wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Thursday, February 17, 2005 7:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn’t have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters & AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.