If you want to affect local accounts, set the policy on the OU[s] containing
the computer objects with a higher precedence than the Domain policy.
It has always been documented that Domain password policy must be in the
Default Domain Policy.
Recent version covering W2K3-
http://technet.microsoft.com/en-us/library/cc773164(WS.10).aspx
To accommodate APIs from previous versions of the operating system that make
changes directly to default GPOs, changes to the following security policy
settings must be made directly in the Default Domain Policy GPO or in the
Default Domain Controllers Policy GPO:
* Default Domain Security Policy Settings:
* Password Policy
* Domain Account Lockout Policy
* Domain Kerberos Policy
From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Wednesday, December 08, 2010 12:30 PM
To: NT System Admin Issues
Subject: GPO for Password Policy question
W2K3 FFL domain:
Can someone let me know if this is correct:
OK, so you have your default domain policy, which is linked to the domain. You
have account Password policies configured there. This affects both local SAM
accounts and AD accounts. If you decided for some business reason that you
didn't want these password policies to apply to local SAM accounts (i.e.
password complexity requirements), but only AD accounts, could you remove the
password policies from the default domain GPO and apply them to the default
Domain controllers GPO, which should then only affect AD accounts?
Thanks
Chris Bodnar, MCSE
Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003 - This message, and
any attachments to it, may contain information that is privileged,
confidential, and exempt from disclosure under applicable law. If the reader of
this message is not the intended recipient, you are notified that any use,
dissemination, distribution, copying, or communication of this message is
strictly prohibited. If you have received this message in error, please notify
the sender immediately by return e-mail and delete the message and any
attachments. Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin