Password policy in domain 2003

  • Thread starter Thread starter לי×Âור.פ
  • Start date Start date
Ã

לי×Âור.פ

Hi

As far as I know there can be only one password policy.
I configured the main GPO in the root for specific password policy, I have
an OU with blocked inheritance is checked, and I created a new gpo and linked
it to this OU, this gpo have a diffrent set of password policy, I run the
RSOP on the server under that OU, and I got the new set of password policy
that is linked to this OU.
So, Can I use a diffrent password policy in diffrent OU's ?
or, I missing somthing?

thanks

Lior
 
You can - but for accounts that reside in the local SAM databases of
computers in that OU. You will certainly notice that it only applies to
computers, and not to users. For domain accounts, the domain level password
policy still applies.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"?????.?" wrote in message
news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...
> Hi
>
> As far as I know there can be only one password policy.
> I configured the main GPO in the root for specific password policy, I have
> an OU with blocked inheritance is checked, and I created a new gpo and
> linked
> it to this OU, this gpo have a diffrent set of password policy, I run the
> RSOP on the server under that OU, and I got the new set of password policy
> that is linked to this OU.
> So, Can I use a diffrent password policy in diffrent OU's ?
> or, I missing somthing?
>
> thanks
>
> Lior
>
 
Hi
I didn't anderstand your answer, can U pleas explain broadly, the password
policy
is on the computer section, when u wrote " For domain accounts, the domain
level password policy still applies", the computer object account are domain
accounts, so what did u mean?

Lior

"Dobromir Todorov" wrote:

> You can - but for accounts that reside in the local SAM databases of
> computers in that OU. You will certainly notice that it only applies to
> computers, and not to users. For domain accounts, the domain level password
> policy still applies.
>
> --
> ---
> HTH,
> Dobromir
>
> Learn more about Security and Identity Management:
> Visit http://www.iamechanics.com
>
> "?????.?" wrote in message
> news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...
> > Hi
> >
> > As far as I know there can be only one password policy.
> > I configured the main GPO in the root for specific password policy, I have
> > an OU with blocked inheritance is checked, and I created a new gpo and
> > linked
> > it to this OU, this gpo have a diffrent set of password policy, I run the
> > RSOP on the server under that OU, and I got the new set of password policy
> > that is linked to this OU.
> > So, Can I use a diffrent password policy in diffrent OU's ?
> > or, I missing somthing?
> >
> > thanks
> >
> > Lior
> >
>
>
>
 
Dobromir stated correctly that prior to Windows 2008 domains
there is only one account and password policy for domain accounts.
If one sets these at a different level (not at domain level) such as
your case on an OU, then the account and password policies will
have impact on machine local accounts defined on the computers
in that OU, which is why you were seeing what you report in the
GP results for machines in that OU.

Roger

"?????.?" wrote in message
news:450C94D5-9E3F-4637-AA0F-815985FF4022@microsoft.com...
> Hi
> I didn't anderstand your answer, can U pleas explain broadly, the password
> policy
> is on the computer section, when u wrote " For domain accounts, the domain
> level password policy still applies", the computer object account are
> domain
> accounts, so what did u mean?
>
> Lior
>
> "Dobromir Todorov" wrote:
>
>> You can - but for accounts that reside in the local SAM databases of
>> computers in that OU. You will certainly notice that it only applies to
>> computers, and not to users. For domain accounts, the domain level
>> password
>> policy still applies.
>>
>> --
>> ---
>> HTH,
>> Dobromir
>>
>> Learn more about Security and Identity Management:
>> Visit http://www.iamechanics.com
>>
>> "?????.?" wrote in message
>> news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...
>> > Hi
>> >
>> > As far as I know there can be only one password policy.
>> > I configured the main GPO in the root for specific password policy, I
>> > have
>> > an OU with blocked inheritance is checked, and I created a new gpo and
>> > linked
>> > it to this OU, this gpo have a diffrent set of password policy, I run
>> > the
>> > RSOP on the server under that OU, and I got the new set of password
>> > policy
>> > that is linked to this OU.
>> > So, Can I use a diffrent password policy in diffrent OU's ?
>> > or, I missing somthing?
>> >
>> > thanks
>> >
>> > Lior
>> >
>>
>>
>>
 
Back
Top