RE: GPO for Password Policy question

[Free, Bob]

If you want to affect local accounts, set the policy on the OU[s] containing 
the computer objects with a higher precedence than the Domain policy.

It has always been documented that Domain password policy must be in the 
Default Domain Policy.

Recent version covering W2K3-  
http://technet.microsoft.com/en-us/library/cc773164(WS.10).aspx


To accommodate APIs from previous versions of the operating system that make 
changes directly to default GPOs, changes to the following security policy 
settings must be made directly in the Default Domain Policy GPO or in the 
Default Domain Controllers Policy GPO:

  *   Default Domain Security Policy Settings:


 *   Password Policy

 *   Domain Account Lockout Policy

 *   Domain Kerberos Policy



From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Wednesday, December 08, 2010 12:30 PM
To: NT System Admin Issues
Subject: GPO for Password Policy question

W2K3 FFL domain:

Can someone let me know if this is correct:

OK, so you have your default domain policy, which is linked to the domain. You 
have account Password policies configured there. This affects both local SAM 
accounts and AD accounts. If you decided for some business reason that you 
didn't want these password policies to apply to local SAM accounts (i.e. 
password complexity requirements), but only AD accounts, could you remove the 
password policies from the default domain GPO and apply them to the default 
Domain controllers GPO, which should then only affect AD accounts?


Thanks


Chris Bodnar, MCSE
Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003 - This message, and 
any attachments to it, may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law. If the reader of 
this message is not the intended recipient, you are notified that any use, 
dissemination, distribution, copying, or communication of this message is 
strictly prohibited. If you have received this message in error, please notify 
the sender immediately by return e-mail and delete the message and any 
attachments. Thank you.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: GPO for Password Policy question

[Malcolm Reitz]

Yes, it works as you describe. I've done this before by blocking inheritance
of the default domain policy (easy to test without fooling with your default
domain GPO), but your method is probably easier to manage.

 

-Malcolm

 

 

From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Wednesday, December 08, 2010 14:30
To: NT System Admin Issues
Subject: GPO for Password Policy question

 

W2K3 FFL domain: 

Can someone let me know if this is correct: 

OK, so you have your default domain policy, which is linked to the domain.
You have account Password policies configured there. This affects both local
SAM accounts and AD accounts. If you decided for some business reason that
you didn't want these password policies to apply to local SAM accounts (i.e.
password complexity requirements), but only AD accounts, could you remove
the password policies from the default domain GPO and apply them to the
default Domain controllers GPO, which should then only affect AD accounts? 


Thanks 


Chris Bodnar, MCSE
Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003 - This message,
and any attachments to it, may contain information that is privileged,
confidential, and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are notified that any
use, dissemination, distribution, copying, or communication of this message
is strictly prohibited. If you have received this message in error, please
notify the sender immediately by return e-mail and delete the message and
any attachments. Thank you. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin