Sign in with
Sign up | Sign in
Your question

Password policy, no override

Last response: in Windows 2000/NT
Share
June 6, 2005 3:12:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

My default domain policy's computer settings, (min password length, lockout
duration, etc.) kept being set back to their old settings a few minutes
after modifying them. It wasn't until I checked the enforced checkbox on the
gpo that the default domain policy computer settings remained changed
permanently. Strangely enough, the computer portion of the GPO remained
unchanged, the login banner. I don't understand why checking the enforced,
no override, box fixed the problem, or why it was a problem to begin with. I
also recently experienced the same problem, and solution, at a bottom level
OU policy in the computer settings of a GPO.

thank you,
Bill
Anonymous
June 7, 2005 10:27:22 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Bill

password policy should only be set on your default domain controllers policy
not you default domain policy.

Regards

"Bill" wrote:

> My default domain policy's computer settings, (min password length, lockout
> duration, etc.) kept being set back to their old settings a few minutes
> after modifying them. It wasn't until I checked the enforced checkbox on the
> gpo that the default domain policy computer settings remained changed
> permanently. Strangely enough, the computer portion of the GPO remained
> unchanged, the login banner. I don't understand why checking the enforced,
> no override, box fixed the problem, or why it was a problem to begin with. I
> also recently experienced the same problem, and solution, at a bottom level
> OU policy in the computer settings of a GPO.
>
> thank you,
> Bill
>
June 7, 2005 4:32:17 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I seem to keep finding different methods regarding the password policy.

http://www.microsoft.com/technet/prodtechnol/windowsser...

I understand that all users login by using the services of the domain
controllers, but the note above clearly tells you to use a policy at the
domain level. I've checked the password policy at my domain controllers OU,
and none of the settings are defined, which doesn't explain why my default
domain policy was being reverted to its previous settings.

"The AD Designer" wrote:

> Bill
>
> password policy should only be set on your default domain controllers policy
> not you default domain policy.
>
> Regards
>
> "Bill" wrote:
>
> > My default domain policy's computer settings, (min password length, lockout
> > duration, etc.) kept being set back to their old settings a few minutes
> > after modifying them. It wasn't until I checked the enforced checkbox on the
> > gpo that the default domain policy computer settings remained changed
> > permanently. Strangely enough, the computer portion of the GPO remained
> > unchanged, the login banner. I don't understand why checking the enforced,
> > no override, box fixed the problem, or why it was a problem to begin with. I
> > also recently experienced the same problem, and solution, at a bottom level
> > OU policy in the computer settings of a GPO.
> >
> > thank you,
> > Bill
> >
Related resources
Anonymous
June 7, 2005 7:15:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Bill

I can understand that it can get a little confusing. try using gpresult to
find out which policies are being applied and from where.

Users log onto domain controllers setting password policies on domain
controllers ensures that domain logins are defined for authentication to the
domain purposes.

Read the following article on setting up passwod policies.

http://www.microsoft.com/technet/security/prodtech/wind...



"Bill" wrote:

> I seem to keep finding different methods regarding the password policy.
>
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> I understand that all users login by using the services of the domain
> controllers, but the note above clearly tells you to use a policy at the
> domain level. I've checked the password policy at my domain controllers OU,
> and none of the settings are defined, which doesn't explain why my default
> domain policy was being reverted to its previous settings.
>
> "The AD Designer" wrote:
>
> > Bill
> >
> > password policy should only be set on your default domain controllers policy
> > not you default domain policy.
> >
> > Regards
> >
> > "Bill" wrote:
> >
> > > My default domain policy's computer settings, (min password length, lockout
> > > duration, etc.) kept being set back to their old settings a few minutes
> > > after modifying them. It wasn't until I checked the enforced checkbox on the
> > > gpo that the default domain policy computer settings remained changed
> > > permanently. Strangely enough, the computer portion of the GPO remained
> > > unchanged, the login banner. I don't understand why checking the enforced,
> > > no override, box fixed the problem, or why it was a problem to begin with. I
> > > also recently experienced the same problem, and solution, at a bottom level
> > > OU policy in the computer settings of a GPO.
> > >
> > > thank you,
> > > Bill
> > >
June 7, 2005 10:33:04 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Interesting, because this line appears in the note you provided:

2. Select Password Policy.

In the results pane, notice that a Password Policy is not defined in the
default DC GPO, because password policy is defined for the entire domain in
the default domain GPO.

So I'm still not sure what policy could be overriding my top level default
domain GPO. How is that possible? Even if there is a password policy
further down the AD tree, the settings are supposed to flow down, I shouldn't
need to set the no override tab on a default domain policy.



"The AD Designer" wrote:

> Hi Bill
>
> I can understand that it can get a little confusing. try using gpresult to
> find out which policies are being applied and from where.
>
> Users log onto domain controllers setting password policies on domain
> controllers ensures that domain logins are defined for authentication to the
> domain purposes.
>
> Read the following article on setting up passwod policies.
>
> http://www.microsoft.com/technet/security/prodtech/wind...
>
>
>
> "Bill" wrote:
>
> > I seem to keep finding different methods regarding the password policy.
> >
> > http://www.microsoft.com/technet/prodtechnol/windowsser...
> >
> > I understand that all users login by using the services of the domain
> > controllers, but the note above clearly tells you to use a policy at the
> > domain level. I've checked the password policy at my domain controllers OU,
> > and none of the settings are defined, which doesn't explain why my default
> > domain policy was being reverted to its previous settings.
> >
> > "The AD Designer" wrote:
> >
> > > Bill
> > >
> > > password policy should only be set on your default domain controllers policy
> > > not you default domain policy.
> > >
> > > Regards
> > >
> > > "Bill" wrote:
> > >
> > > > My default domain policy's computer settings, (min password length, lockout
> > > > duration, etc.) kept being set back to their old settings a few minutes
> > > > after modifying them. It wasn't until I checked the enforced checkbox on the
> > > > gpo that the default domain policy computer settings remained changed
> > > > permanently. Strangely enough, the computer portion of the GPO remained
> > > > unchanged, the login banner. I don't understand why checking the enforced,
> > > > no override, box fixed the problem, or why it was a problem to begin with. I
> > > > also recently experienced the same problem, and solution, at a bottom level
> > > > OU policy in the computer settings of a GPO.
> > > >
> > > > thank you,
> > > > Bill
> > > >
Anonymous
June 8, 2005 1:23:48 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The AD Designer,

Not sure that I agree with this. I have always set Password Policies in the
'Domain Security Policy'.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> Bill
>
> password policy should only be set on your default domain controllers
> policy
> not you default domain policy.
>
> Regards
>
> "Bill" wrote:
>
>> My default domain policy's computer settings, (min password length,
>> lockout
>> duration, etc.) kept being set back to their old settings a few minutes
>> after modifying them. It wasn't until I checked the enforced checkbox on
>> the
>> gpo that the default domain policy computer settings remained changed
>> permanently. Strangely enough, the computer portion of the GPO remained
>> unchanged, the login banner. I don't understand why checking the
>> enforced,
>> no override, box fixed the problem, or why it was a problem to begin
>> with. I
>> also recently experienced the same problem, and solution, at a bottom
>> level
>> OU policy in the computer settings of a GPO.
>>
>> thank you,
>> Bill
>>
Anonymous
June 8, 2005 3:33:01 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I dont think that there is a "domain securiy policy" available..

As for where the policy is coming from you will need to run gpresult.


"Cary Shultz [A.D. MVP]" wrote:

> The AD Designer,
>
> Not sure that I agree with this. I have always set Password Policies in the
> 'Domain Security Policy'.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
> news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> > Bill
> >
> > password policy should only be set on your default domain controllers
> > policy
> > not you default domain policy.
> >
> > Regards
> >
> > "Bill" wrote:
> >
> >> My default domain policy's computer settings, (min password length,
> >> lockout
> >> duration, etc.) kept being set back to their old settings a few minutes
> >> after modifying them. It wasn't until I checked the enforced checkbox on
> >> the
> >> gpo that the default domain policy computer settings remained changed
> >> permanently. Strangely enough, the computer portion of the GPO remained
> >> unchanged, the login banner. I don't understand why checking the
> >> enforced,
> >> no override, box fixed the problem, or why it was a problem to begin
> >> with. I
> >> also recently experienced the same problem, and solution, at a bottom
> >> level
> >> OU policy in the computer settings of a GPO.
> >>
> >> thank you,
> >> Bill
> >>
>
>
>
Anonymous
June 8, 2005 4:55:57 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Bill,

It is not possible. The AD Designer misread that! I have always done it in
the Domain Security Policy!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Bill" <Bill@discussions.microsoft.com> wrote in message
news:D 4385C60-6EBB-4CC4-9E63-1EACAE98FE59@microsoft.com...
> Interesting, because this line appears in the note you provided:
>
> 2. Select Password Policy.
>
> In the results pane, notice that a Password Policy is not defined in the
> default DC GPO, because password policy is defined for the entire domain
> in
> the default domain GPO.
>
> So I'm still not sure what policy could be overriding my top level default
> domain GPO. How is that possible? Even if there is a password policy
> further down the AD tree, the settings are supposed to flow down, I
> shouldn't
> need to set the no override tab on a default domain policy.
>
>
>
> "The AD Designer" wrote:
>
>> Hi Bill
>>
>> I can understand that it can get a little confusing. try using gpresult
>> to
>> find out which policies are being applied and from where.
>>
>> Users log onto domain controllers setting password policies on domain
>> controllers ensures that domain logins are defined for authentication to
>> the
>> domain purposes.
>>
>> Read the following article on setting up passwod policies.
>>
>> http://www.microsoft.com/technet/security/prodtech/wind...
>>
>>
>>
>> "Bill" wrote:
>>
>> > I seem to keep finding different methods regarding the password policy.
>> >
>> > http://www.microsoft.com/technet/prodtechnol/windowsser...
>> >
>> > I understand that all users login by using the services of the domain
>> > controllers, but the note above clearly tells you to use a policy at
>> > the
>> > domain level. I've checked the password policy at my domain
>> > controllers OU,
>> > and none of the settings are defined, which doesn't explain why my
>> > default
>> > domain policy was being reverted to its previous settings.
>> >
>> > "The AD Designer" wrote:
>> >
>> > > Bill
>> > >
>> > > password policy should only be set on your default domain controllers
>> > > policy
>> > > not you default domain policy.
>> > >
>> > > Regards
>> > >
>> > > "Bill" wrote:
>> > >
>> > > > My default domain policy's computer settings, (min password length,
>> > > > lockout
>> > > > duration, etc.) kept being set back to their old settings a few
>> > > > minutes
>> > > > after modifying them. It wasn't until I checked the enforced
>> > > > checkbox on the
>> > > > gpo that the default domain policy computer settings remained
>> > > > changed
>> > > > permanently. Strangely enough, the computer portion of the GPO
>> > > > remained
>> > > > unchanged, the login banner. I don't understand why checking the
>> > > > enforced,
>> > > > no override, box fixed the problem, or why it was a problem to
>> > > > begin with. I
>> > > > also recently experienced the same problem, and solution, at a
>> > > > bottom level
>> > > > OU policy in the computer settings of a GPO.
>> > > >
>> > > > thank you,
>> > > > Bill
>> > > >
June 8, 2005 10:21:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

gpresult tells me my user account is receiving settings from the default
domain policy, but it doesn't tell me why my default domain policy, directly
beneath the domain OU, is being overwritten.



"The AD Designer" wrote:

> I dont think that there is a "domain securiy policy" available..
>
> As for where the policy is coming from you will need to run gpresult.
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
> > The AD Designer,
> >
> > Not sure that I agree with this. I have always set Password Policies in the
> > 'Domain Security Policy'.
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24012
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
> > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> > > Bill
> > >
> > > password policy should only be set on your default domain controllers
> > > policy
> > > not you default domain policy.
> > >
> > > Regards
> > >
> > > "Bill" wrote:
> > >
> > >> My default domain policy's computer settings, (min password length,
> > >> lockout
> > >> duration, etc.) kept being set back to their old settings a few minutes
> > >> after modifying them. It wasn't until I checked the enforced checkbox on
> > >> the
> > >> gpo that the default domain policy computer settings remained changed
> > >> permanently. Strangely enough, the computer portion of the GPO remained
> > >> unchanged, the login banner. I don't understand why checking the
> > >> enforced,
> > >> no override, box fixed the problem, or why it was a problem to begin
> > >> with. I
> > >> also recently experienced the same problem, and solution, at a bottom
> > >> level
> > >> OU policy in the computer settings of a GPO.
> > >>
> > >> thank you,
> > >> Bill
> > >>
> >
> >
> >
Anonymous
June 8, 2005 10:35:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi bill

It will have more than just one even if you only have a domain policy set.
Policies in general follow the following order. and each is inherited from
above. if i set a policy on site, then change the same setting on domain the
domain policy is in effect(thus over written).

local
site
domain
ou

I just finnished two huge projects (one have 500,000 nodes and another
18,000)where the password policies were set on the domain controllers policy
and it worked as on the tin. setting a policy domin wide would impact users
who have computers in a domain but log in locally to a pc. Remember password
policy is on the computer object not the user. set the password policy on the
domain controllers policy this ensures all AD user objects are effected by
the policy.




"Bill" wrote:

> gpresult tells me my user account is receiving settings from the default
> domain policy, but it doesn't tell me why my default domain policy, directly
> beneath the domain OU, is being overwritten.
>
>
>
> "The AD Designer" wrote:
>
> > I dont think that there is a "domain securiy policy" available..
> >
> > As for where the policy is coming from you will need to run gpresult.
> >
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> > > The AD Designer,
> > >
> > > Not sure that I agree with this. I have always set Password Policies in the
> > > 'Domain Security Policy'.
> > >
> > > --
> > > Cary W. Shultz
> > > Roanoke, VA 24012
> > > Microsoft Active Directory MVP
> > >
> > > http://www.activedirectory-win2000.com
> > > http://www.grouppolicy-win2000.com
> > >
> > >
> > >
> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> > > > Bill
> > > >
> > > > password policy should only be set on your default domain controllers
> > > > policy
> > > > not you default domain policy.
> > > >
> > > > Regards
> > > >
> > > > "Bill" wrote:
> > > >
> > > >> My default domain policy's computer settings, (min password length,
> > > >> lockout
> > > >> duration, etc.) kept being set back to their old settings a few minutes
> > > >> after modifying them. It wasn't until I checked the enforced checkbox on
> > > >> the
> > > >> gpo that the default domain policy computer settings remained changed
> > > >> permanently. Strangely enough, the computer portion of the GPO remained
> > > >> unchanged, the login banner. I don't understand why checking the
> > > >> enforced,
> > > >> no override, box fixed the problem, or why it was a problem to begin
> > > >> with. I
> > > >> also recently experienced the same problem, and solution, at a bottom
> > > >> level
> > > >> OU policy in the computer settings of a GPO.
> > > >>
> > > >> thank you,
> > > >> Bill
> > > >>
> > >
> > >
> > >
Anonymous
June 8, 2005 1:26:51 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I would look very carefully. It is very much available and very much the
one to use! Not sure what else to tell you other than to open up the
Administrative Tools and make sure that things are listed alphabetically.
Do you still not see it? Where are you looking? On a Domain Controller
directly? on a Domain Controller via RDP? on a Domain Controller via some
version of VNC? or better, on a workstation with the Adminpak installed?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
news:F28294CA-DEB1-4CEA-B671-502EF3200F19@microsoft.com...
>I dont think that there is a "domain securiy policy" available..
>
> As for where the policy is coming from you will need to run gpresult.
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> The AD Designer,
>>
>> Not sure that I agree with this. I have always set Password Policies in
>> the
>> 'Domain Security Policy'.
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
>> message
>> news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
>> > Bill
>> >
>> > password policy should only be set on your default domain controllers
>> > policy
>> > not you default domain policy.
>> >
>> > Regards
>> >
>> > "Bill" wrote:
>> >
>> >> My default domain policy's computer settings, (min password length,
>> >> lockout
>> >> duration, etc.) kept being set back to their old settings a few
>> >> minutes
>> >> after modifying them. It wasn't until I checked the enforced checkbox
>> >> on
>> >> the
>> >> gpo that the default domain policy computer settings remained changed
>> >> permanently. Strangely enough, the computer portion of the GPO
>> >> remained
>> >> unchanged, the login banner. I don't understand why checking the
>> >> enforced,
>> >> no override, box fixed the problem, or why it was a problem to begin
>> >> with. I
>> >> also recently experienced the same problem, and solution, at a bottom
>> >> level
>> >> OU policy in the computer settings of a GPO.
>> >>
>> >> thank you,
>> >> Bill
>> >>
>>
>>
>>
Anonymous
June 8, 2005 6:29:11 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The AD Designer,

Again, I would disagree with setting the password policy on the Default
Domain Controller Policy. It should be set in the Domain Security Policy.

And setting a password policy at the domain level ( which is what we are
doing with the Domain Security Policy ) will not affect users logging in
locally on the machines ( assuming that they are using a local user account
and not the Domain user account object ). The only way to set a password
policy to affect the local user accounts is to create a GPO at the OU level,
linking it to the OU that contains the computer account objects. Doing so
will not affect users logging on with the Domain user account object but
will affect users logging on with local user accounts.

Sorry, I am just not sure from where you have your information?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
> Hi bill
>
> It will have more than just one even if you only have a domain policy set.
> Policies in general follow the following order. and each is inherited from
> above. if i set a policy on site, then change the same setting on domain
> the
> domain policy is in effect(thus over written).
>
> local
> site
> domain
> ou
>
> I just finnished two huge projects (one have 500,000 nodes and another
> 18,000)where the password policies were set on the domain controllers
> policy
> and it worked as on the tin. setting a policy domin wide would impact
> users
> who have computers in a domain but log in locally to a pc. Remember
> password
> policy is on the computer object not the user. set the password policy on
> the
> domain controllers policy this ensures all AD user objects are effected by
> the policy.
>
>
>
>
> "Bill" wrote:
>
>> gpresult tells me my user account is receiving settings from the default
>> domain policy, but it doesn't tell me why my default domain policy,
>> directly
>> beneath the domain OU, is being overwritten.
>>
>>
>>
>> "The AD Designer" wrote:
>>
>> > I dont think that there is a "domain securiy policy" available..
>> >
>> > As for where the policy is coming from you will need to run gpresult.
>> >
>> >
>> > "Cary Shultz [A.D. MVP]" wrote:
>> >
>> > > The AD Designer,
>> > >
>> > > Not sure that I agree with this. I have always set Password Policies
>> > > in the
>> > > 'Domain Security Policy'.
>> > >
>> > > --
>> > > Cary W. Shultz
>> > > Roanoke, VA 24012
>> > > Microsoft Active Directory MVP
>> > >
>> > > http://www.activedirectory-win2000.com
>> > > http://www.grouppolicy-win2000.com
>> > >
>> > >
>> > >
>> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
>> > > message
>> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
>> > > > Bill
>> > > >
>> > > > password policy should only be set on your default domain
>> > > > controllers
>> > > > policy
>> > > > not you default domain policy.
>> > > >
>> > > > Regards
>> > > >
>> > > > "Bill" wrote:
>> > > >
>> > > >> My default domain policy's computer settings, (min password
>> > > >> length,
>> > > >> lockout
>> > > >> duration, etc.) kept being set back to their old settings a few
>> > > >> minutes
>> > > >> after modifying them. It wasn't until I checked the enforced
>> > > >> checkbox on
>> > > >> the
>> > > >> gpo that the default domain policy computer settings remained
>> > > >> changed
>> > > >> permanently. Strangely enough, the computer portion of the GPO
>> > > >> remained
>> > > >> unchanged, the login banner. I don't understand why checking the
>> > > >> enforced,
>> > > >> no override, box fixed the problem, or why it was a problem to
>> > > >> begin
>> > > >> with. I
>> > > >> also recently experienced the same problem, and solution, at a
>> > > >> bottom
>> > > >> level
>> > > >> OU policy in the computer settings of a GPO.
>> > > >>
>> > > >> thank you,
>> > > >> Bill
>> > > >>
>> > >
>> > >
>> > >
Anonymous
June 9, 2005 3:15:02 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I feel I must chime in here to clear up any confusion.
DCs will ignore any password policies you set at the domain controller
container.
password policies, account policies, kerberos policies, (and a couple other
individual settings) must be configured in a GPO that is linked to the
domain container.
This is because MS does not want to assume you will keep your DCs in the
default DC container, and MS must guarantee consistent security policies
across all DCs in a domain. The only way to achieve this guarantee is to
force certain settings to be linked to the domain container for DCs to read
and apply them.

Also, like Cary indicated, if you are interested in controlling the
passoword policies for local accounts on workstations and servers, then you
must setup an OU for those systems and configure and link a GPO with those
settings to the OU.


--
Glenn LeCheminant
CCNA, MCSE 2000/2003 + Security

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o Zs9%23fFbFHA.464@TK2MSFTNGP15.phx.gbl...
> The AD Designer,
>
> Again, I would disagree with setting the password policy on the Default
> Domain Controller Policy. It should be set in the Domain Security Policy.
>
> And setting a password policy at the domain level ( which is what we are
> doing with the Domain Security Policy ) will not affect users logging in
> locally on the machines ( assuming that they are using a local user
> account and not the Domain user account object ). The only way to set a
> password policy to affect the local user accounts is to create a GPO at
> the OU level, linking it to the OU that contains the computer account
> objects. Doing so will not affect users logging on with the Domain user
> account object but will affect users logging on with local user accounts.
>
> Sorry, I am just not sure from where you have your information?
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
> message news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
>> Hi bill
>>
>> It will have more than just one even if you only have a domain policy
>> set.
>> Policies in general follow the following order. and each is inherited
>> from
>> above. if i set a policy on site, then change the same setting on domain
>> the
>> domain policy is in effect(thus over written).
>>
>> local
>> site
>> domain
>> ou
>>
>> I just finnished two huge projects (one have 500,000 nodes and another
>> 18,000)where the password policies were set on the domain controllers
>> policy
>> and it worked as on the tin. setting a policy domin wide would impact
>> users
>> who have computers in a domain but log in locally to a pc. Remember
>> password
>> policy is on the computer object not the user. set the password policy on
>> the
>> domain controllers policy this ensures all AD user objects are effected
>> by
>> the policy.
>>
>>
>>
>>
>> "Bill" wrote:
>>
>>> gpresult tells me my user account is receiving settings from the default
>>> domain policy, but it doesn't tell me why my default domain policy,
>>> directly
>>> beneath the domain OU, is being overwritten.
>>>
>>>
>>>
>>> "The AD Designer" wrote:
>>>
>>> > I dont think that there is a "domain securiy policy" available..
>>> >
>>> > As for where the policy is coming from you will need to run gpresult.
>>> >
>>> >
>>> > "Cary Shultz [A.D. MVP]" wrote:
>>> >
>>> > > The AD Designer,
>>> > >
>>> > > Not sure that I agree with this. I have always set Password
>>> > > Policies in the
>>> > > 'Domain Security Policy'.
>>> > >
>>> > > --
>>> > > Cary W. Shultz
>>> > > Roanoke, VA 24012
>>> > > Microsoft Active Directory MVP
>>> > >
>>> > > http://www.activedirectory-win2000.com
>>> > > http://www.grouppolicy-win2000.com
>>> > >
>>> > >
>>> > >
>>> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
>>> > > message
>>> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
>>> > > > Bill
>>> > > >
>>> > > > password policy should only be set on your default domain
>>> > > > controllers
>>> > > > policy
>>> > > > not you default domain policy.
>>> > > >
>>> > > > Regards
>>> > > >
>>> > > > "Bill" wrote:
>>> > > >
>>> > > >> My default domain policy's computer settings, (min password
>>> > > >> length,
>>> > > >> lockout
>>> > > >> duration, etc.) kept being set back to their old settings a few
>>> > > >> minutes
>>> > > >> after modifying them. It wasn't until I checked the enforced
>>> > > >> checkbox on
>>> > > >> the
>>> > > >> gpo that the default domain policy computer settings remained
>>> > > >> changed
>>> > > >> permanently. Strangely enough, the computer portion of the GPO
>>> > > >> remained
>>> > > >> unchanged, the login banner. I don't understand why checking the
>>> > > >> enforced,
>>> > > >> no override, box fixed the problem, or why it was a problem to
>>> > > >> begin
>>> > > >> with. I
>>> > > >> also recently experienced the same problem, and solution, at a
>>> > > >> bottom
>>> > > >> level
>>> > > >> OU policy in the computer settings of a GPO.
>>> > > >>
>>> > > >> thank you,
>>> > > >> Bill
>>> > > >>
>>> > >
>>> > >
>>> > >
>
>
Anonymous
June 9, 2005 4:56:09 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Cary

You are correct in sating the the default domain policy should be used for
setting password policies. However Password policies are set on computer
configuration part of the policy. This means that when a computer which is
joined to the domain it will get this policy regardless of whether the user
is logging onto the domain or logging on locally. This is why when a system
is booting up and the LSASS service (LSASS.exe,LSASS.DLL) starts it applied
policies from the domain in which it is joined to. This information can be
found in the Windows 2003 internals book page 489 security.

Regards


"Cary Shultz [A.D. MVP]" wrote:

> The AD Designer,
>
> Again, I would disagree with setting the password policy on the Default
> Domain Controller Policy. It should be set in the Domain Security Policy.
>
> And setting a password policy at the domain level ( which is what we are
> doing with the Domain Security Policy ) will not affect users logging in
> locally on the machines ( assuming that they are using a local user account
> and not the Domain user account object ). The only way to set a password
> policy to affect the local user accounts is to create a GPO at the OU level,
> linking it to the OU that contains the computer account objects. Doing so
> will not affect users logging on with the Domain user account object but
> will affect users logging on with local user accounts.
>
> Sorry, I am just not sure from where you have your information?
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
> news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
> > Hi bill
> >
> > It will have more than just one even if you only have a domain policy set.
> > Policies in general follow the following order. and each is inherited from
> > above. if i set a policy on site, then change the same setting on domain
> > the
> > domain policy is in effect(thus over written).
> >
> > local
> > site
> > domain
> > ou
> >
> > I just finnished two huge projects (one have 500,000 nodes and another
> > 18,000)where the password policies were set on the domain controllers
> > policy
> > and it worked as on the tin. setting a policy domin wide would impact
> > users
> > who have computers in a domain but log in locally to a pc. Remember
> > password
> > policy is on the computer object not the user. set the password policy on
> > the
> > domain controllers policy this ensures all AD user objects are effected by
> > the policy.
> >
> >
> >
> >
> > "Bill" wrote:
> >
> >> gpresult tells me my user account is receiving settings from the default
> >> domain policy, but it doesn't tell me why my default domain policy,
> >> directly
> >> beneath the domain OU, is being overwritten.
> >>
> >>
> >>
> >> "The AD Designer" wrote:
> >>
> >> > I dont think that there is a "domain securiy policy" available..
> >> >
> >> > As for where the policy is coming from you will need to run gpresult.
> >> >
> >> >
> >> > "Cary Shultz [A.D. MVP]" wrote:
> >> >
> >> > > The AD Designer,
> >> > >
> >> > > Not sure that I agree with this. I have always set Password Policies
> >> > > in the
> >> > > 'Domain Security Policy'.
> >> > >
> >> > > --
> >> > > Cary W. Shultz
> >> > > Roanoke, VA 24012
> >> > > Microsoft Active Directory MVP
> >> > >
> >> > > http://www.activedirectory-win2000.com
> >> > > http://www.grouppolicy-win2000.com
> >> > >
> >> > >
> >> > >
> >> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
> >> > > message
> >> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> >> > > > Bill
> >> > > >
> >> > > > password policy should only be set on your default domain
> >> > > > controllers
> >> > > > policy
> >> > > > not you default domain policy.
> >> > > >
> >> > > > Regards
> >> > > >
> >> > > > "Bill" wrote:
> >> > > >
> >> > > >> My default domain policy's computer settings, (min password
> >> > > >> length,
> >> > > >> lockout
> >> > > >> duration, etc.) kept being set back to their old settings a few
> >> > > >> minutes
> >> > > >> after modifying them. It wasn't until I checked the enforced
> >> > > >> checkbox on
> >> > > >> the
> >> > > >> gpo that the default domain policy computer settings remained
> >> > > >> changed
> >> > > >> permanently. Strangely enough, the computer portion of the GPO
> >> > > >> remained
> >> > > >> unchanged, the login banner. I don't understand why checking the
> >> > > >> enforced,
> >> > > >> no override, box fixed the problem, or why it was a problem to
> >> > > >> begin
> >> > > >> with. I
> >> > > >> also recently experienced the same problem, and solution, at a
> >> > > >> bottom
> >> > > >> level
> >> > > >> OU policy in the computer settings of a GPO.
> >> > > >>
> >> > > >> thank you,
> >> > > >> Bill
> >> > > >>
> >> > >
> >> > >
> >> > >
>
>
>
Anonymous
June 9, 2005 10:23:50 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I was going to add another post to this thread last night but was simply too
tired ( with a little little one and another on the way that happens! Momma
is really tired so Poppa has a lot of stuff to do - in addition to what he
already does......).

Did some thinking about your idea of using the Default Domain Controller
Policy for setting the password policy. And my hard-headedness on using the
Domain Security Policy ( or Default Domain Policy ).

You are correct that the password is really a computer thing ( while most
people without thinking would tell you that it is a user thing! ) and that -
by setting it at the DDCP - you are really telling the Domain Controllers
what type of password they will accept ( and, by definition, what they will
not accept ).

In WIN2000 I am not sure that I would use the DDCP for this. I did look
this up in a couple of books that I have sitting on the shelves ( and I was
glad to do that....they were getting really dusty! ). Nowhere could I find
anything about using the DDCP for doing this. Now, that does not mean that
you can not! If you are that adamant that you have successfully done this
using the DDCP then who am I to tell you that you have not! I believe you
on this. Even if it were 50 users and 18 users ( and not 500,000 and
18,000 = sounds like something that Joe R would be doing! ). Now, the
interesting thing comes with WIN2003. I did a google of the 'Domain
Security Policy' and there is a link ( at the top of the results page ) with
the following:

http://support.microsoft.com/kb/q221930/

And by using 'password policy' you get the following ( both WIN2000 and
WIN2003 ):

http://www.tacktech.com/display.cfm?ttid=354
http://windows.about.com/od/security/l/aa000910a.htm
http://www.microsoft.com/technet/prodtechnol/windowsser...

These would seem to suggest that you would indeed set the password policy
( and a few other things ) at the Domain Security Policy. The two books
that I referenced suggested this as well.

However, for WIN2003 things look a little differently!

I can not find the page on the Microsoft web site but there were clearly two
options: the Default Domain Policy -OR- the Default Domain Controller
Policy.

So, I am going to have to play with this a little bit.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
news:2717D867-C616-4A4E-B32C-1597E4FEC574@microsoft.com...
> Cary
>
> You are correct in sating the the default domain policy should be used for
> setting password policies. However Password policies are set on computer
> configuration part of the policy. This means that when a computer which is
> joined to the domain it will get this policy regardless of whether the
> user
> is logging onto the domain or logging on locally. This is why when a
> system
> is booting up and the LSASS service (LSASS.exe,LSASS.DLL) starts it
> applied
> policies from the domain in which it is joined to. This information can be
> found in the Windows 2003 internals book page 489 security.
>
> Regards
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> The AD Designer,
>>
>> Again, I would disagree with setting the password policy on the Default
>> Domain Controller Policy. It should be set in the Domain Security
>> Policy.
>>
>> And setting a password policy at the domain level ( which is what we are
>> doing with the Domain Security Policy ) will not affect users logging in
>> locally on the machines ( assuming that they are using a local user
>> account
>> and not the Domain user account object ). The only way to set a password
>> policy to affect the local user accounts is to create a GPO at the OU
>> level,
>> linking it to the OU that contains the computer account objects. Doing
>> so
>> will not affect users logging on with the Domain user account object but
>> will affect users logging on with local user accounts.
>>
>> Sorry, I am just not sure from where you have your information?
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
>> message
>> news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
>> > Hi bill
>> >
>> > It will have more than just one even if you only have a domain policy
>> > set.
>> > Policies in general follow the following order. and each is inherited
>> > from
>> > above. if i set a policy on site, then change the same setting on
>> > domain
>> > the
>> > domain policy is in effect(thus over written).
>> >
>> > local
>> > site
>> > domain
>> > ou
>> >
>> > I just finnished two huge projects (one have 500,000 nodes and another
>> > 18,000)where the password policies were set on the domain controllers
>> > policy
>> > and it worked as on the tin. setting a policy domin wide would impact
>> > users
>> > who have computers in a domain but log in locally to a pc. Remember
>> > password
>> > policy is on the computer object not the user. set the password policy
>> > on
>> > the
>> > domain controllers policy this ensures all AD user objects are effected
>> > by
>> > the policy.
>> >
>> >
>> >
>> >
>> > "Bill" wrote:
>> >
>> >> gpresult tells me my user account is receiving settings from the
>> >> default
>> >> domain policy, but it doesn't tell me why my default domain policy,
>> >> directly
>> >> beneath the domain OU, is being overwritten.
>> >>
>> >>
>> >>
>> >> "The AD Designer" wrote:
>> >>
>> >> > I dont think that there is a "domain securiy policy" available..
>> >> >
>> >> > As for where the policy is coming from you will need to run
>> >> > gpresult.
>> >> >
>> >> >
>> >> > "Cary Shultz [A.D. MVP]" wrote:
>> >> >
>> >> > > The AD Designer,
>> >> > >
>> >> > > Not sure that I agree with this. I have always set Password
>> >> > > Policies
>> >> > > in the
>> >> > > 'Domain Security Policy'.
>> >> > >
>> >> > > --
>> >> > > Cary W. Shultz
>> >> > > Roanoke, VA 24012
>> >> > > Microsoft Active Directory MVP
>> >> > >
>> >> > > http://www.activedirectory-win2000.com
>> >> > > http://www.grouppolicy-win2000.com
>> >> > >
>> >> > >
>> >> > >
>> >> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote
>> >> > > in
>> >> > > message
>> >> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
>> >> > > > Bill
>> >> > > >
>> >> > > > password policy should only be set on your default domain
>> >> > > > controllers
>> >> > > > policy
>> >> > > > not you default domain policy.
>> >> > > >
>> >> > > > Regards
>> >> > > >
>> >> > > > "Bill" wrote:
>> >> > > >
>> >> > > >> My default domain policy's computer settings, (min password
>> >> > > >> length,
>> >> > > >> lockout
>> >> > > >> duration, etc.) kept being set back to their old settings a
>> >> > > >> few
>> >> > > >> minutes
>> >> > > >> after modifying them. It wasn't until I checked the enforced
>> >> > > >> checkbox on
>> >> > > >> the
>> >> > > >> gpo that the default domain policy computer settings remained
>> >> > > >> changed
>> >> > > >> permanently. Strangely enough, the computer portion of the GPO
>> >> > > >> remained
>> >> > > >> unchanged, the login banner. I don't understand why checking
>> >> > > >> the
>> >> > > >> enforced,
>> >> > > >> no override, box fixed the problem, or why it was a problem to
>> >> > > >> begin
>> >> > > >> with. I
>> >> > > >> also recently experienced the same problem, and solution, at a
>> >> > > >> bottom
>> >> > > >> level
>> >> > > >> OU policy in the computer settings of a GPO.
>> >> > > >>
>> >> > > >> thank you,
>> >> > > >> Bill
>> >> > > >>
>> >> > >
>> >> > >
>> >> > >
>>
>>
>>
Anonymous
June 9, 2005 10:23:51 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Cary

I tend to read resorce kits and they provide with engine information as
opposed to administration information at a higher level.

Ps I was right in saying 500,000 (largest Ad project on the UK) and 18,000
user projects.

Yours
The AD Architect

"Cary Shultz [A.D. MVP]" wrote:

> I was going to add another post to this thread last night but was simply too
> tired ( with a little little one and another on the way that happens! Momma
> is really tired so Poppa has a lot of stuff to do - in addition to what he
> already does......).
>
> Did some thinking about your idea of using the Default Domain Controller
> Policy for setting the password policy. And my hard-headedness on using the
> Domain Security Policy ( or Default Domain Policy ).
>
> You are correct that the password is really a computer thing ( while most
> people without thinking would tell you that it is a user thing! ) and that -
> by setting it at the DDCP - you are really telling the Domain Controllers
> what type of password they will accept ( and, by definition, what they will
> not accept ).
>
> In WIN2000 I am not sure that I would use the DDCP for this. I did look
> this up in a couple of books that I have sitting on the shelves ( and I was
> glad to do that....they were getting really dusty! ). Nowhere could I find
> anything about using the DDCP for doing this. Now, that does not mean that
> you can not! If you are that adamant that you have successfully done this
> using the DDCP then who am I to tell you that you have not! I believe you
> on this. Even if it were 50 users and 18 users ( and not 500,000 and
> 18,000 = sounds like something that Joe R would be doing! ). Now, the
> interesting thing comes with WIN2003. I did a google of the 'Domain
> Security Policy' and there is a link ( at the top of the results page ) with
> the following:
>
> http://support.microsoft.com/kb/q221930/
>
> And by using 'password policy' you get the following ( both WIN2000 and
> WIN2003 ):
>
> http://www.tacktech.com/display.cfm?ttid=354
> http://windows.about.com/od/security/l/aa000910a.htm
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> These would seem to suggest that you would indeed set the password policy
> ( and a few other things ) at the Domain Security Policy. The two books
> that I referenced suggested this as well.
>
> However, for WIN2003 things look a little differently!
>
> I can not find the page on the Microsoft web site but there were clearly two
> options: the Default Domain Policy -OR- the Default Domain Controller
> Policy.
>
> So, I am going to have to play with this a little bit.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
> news:2717D867-C616-4A4E-B32C-1597E4FEC574@microsoft.com...
> > Cary
> >
> > You are correct in sating the the default domain policy should be used for
> > setting password policies. However Password policies are set on computer
> > configuration part of the policy. This means that when a computer which is
> > joined to the domain it will get this policy regardless of whether the
> > user
> > is logging onto the domain or logging on locally. This is why when a
> > system
> > is booting up and the LSASS service (LSASS.exe,LSASS.DLL) starts it
> > applied
> > policies from the domain in which it is joined to. This information can be
> > found in the Windows 2003 internals book page 489 security.
> >
> > Regards
> >
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> >> The AD Designer,
> >>
> >> Again, I would disagree with setting the password policy on the Default
> >> Domain Controller Policy. It should be set in the Domain Security
> >> Policy.
> >>
> >> And setting a password policy at the domain level ( which is what we are
> >> doing with the Domain Security Policy ) will not affect users logging in
> >> locally on the machines ( assuming that they are using a local user
> >> account
> >> and not the Domain user account object ). The only way to set a password
> >> policy to affect the local user accounts is to create a GPO at the OU
> >> level,
> >> linking it to the OU that contains the computer account objects. Doing
> >> so
> >> will not affect users logging on with the Domain user account object but
> >> will affect users logging on with local user accounts.
> >>
> >> Sorry, I am just not sure from where you have your information?
> >>
> >> --
> >> Cary W. Shultz
> >> Roanoke, VA 24012
> >> Microsoft Active Directory MVP
> >>
> >> http://www.activedirectory-win2000.com
> >> http://www.grouppolicy-win2000.com
> >>
> >>
> >>
> >> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
> >> message
> >> news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
> >> > Hi bill
> >> >
> >> > It will have more than just one even if you only have a domain policy
> >> > set.
> >> > Policies in general follow the following order. and each is inherited
> >> > from
> >> > above. if i set a policy on site, then change the same setting on
> >> > domain
> >> > the
> >> > domain policy is in effect(thus over written).
> >> >
> >> > local
> >> > site
> >> > domain
> >> > ou
> >> >
> >> > I just finnished two huge projects (one have 500,000 nodes and another
> >> > 18,000)where the password policies were set on the domain controllers
> >> > policy
> >> > and it worked as on the tin. setting a policy domin wide would impact
> >> > users
> >> > who have computers in a domain but log in locally to a pc. Remember
> >> > password
> >> > policy is on the computer object not the user. set the password policy
> >> > on
> >> > the
> >> > domain controllers policy this ensures all AD user objects are effected
> >> > by
> >> > the policy.
> >> >
> >> >
> >> >
> >> >
> >> > "Bill" wrote:
> >> >
> >> >> gpresult tells me my user account is receiving settings from the
> >> >> default
> >> >> domain policy, but it doesn't tell me why my default domain policy,
> >> >> directly
> >> >> beneath the domain OU, is being overwritten.
> >> >>
> >> >>
> >> >>
> >> >> "The AD Designer" wrote:
> >> >>
> >> >> > I dont think that there is a "domain securiy policy" available..
> >> >> >
> >> >> > As for where the policy is coming from you will need to run
> >> >> > gpresult.
> >> >> >
> >> >> >
> >> >> > "Cary Shultz [A.D. MVP]" wrote:
> >> >> >
> >> >> > > The AD Designer,
> >> >> > >
> >> >> > > Not sure that I agree with this. I have always set Password
> >> >> > > Policies
> >> >> > > in the
> >> >> > > 'Domain Security Policy'.
> >> >> > >
> >> >> > > --
> >> >> > > Cary W. Shultz
> >> >> > > Roanoke, VA 24012
> >> >> > > Microsoft Active Directory MVP
> >> >> > >
> >> >> > > http://www.activedirectory-win2000.com
> >> >> > > http://www.grouppolicy-win2000.com
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote
> >> >> > > in
> >> >> > > message
> >> >> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> >> >> > > > Bill
> >> >> > > >
> >> >> > > > password policy should only be set on your default domain
> >> >> > > > controllers
> >> >> > > > policy
> >> >> > > > not you default domain policy.
> >> >> > > >
> >> >> > > > Regards
> >> >> > > >
> >> >> > > > "Bill" wrote:
> >> >> > > >
> >> >> > > >> My default domain policy's computer settings, (min password
> >> >> > > >> length,
> >> >> > > >> lockout
> >> >> > > >> duration, etc.) kept being set back to their old settings a
> >> >> > > >> few
> >> >> > > >> minutes
> >> >> > > >> after modifying them. It wasn't until I checked the enforced
> >> >> > > >> checkbox on
> >> >> > > >> the
> >> >> > > >> gpo that the default domain policy computer settings remained
> >> >> > > >> changed
> >> >> > > >> permanently. Strangely enough, the computer portion of the GPO
> >> >> > > >> remained
> >> >> > > >> unchanged, the login banner. I don't understand why checking
> >> >> > > >> the
> >> >> > > >> enforced,
> >> >> > > >> no override, box fixed the problem, or why it was a problem to
> >> >> > > >> begin
> >> >> > > >> with. I
> >> >> > > >> also recently experienced the same problem, and solution, at a
> >> >> > > >> bottom
> >> >> > > >> level
> >> >> > > >> OU policy in the computer settings of a GPO.
> >> >> > > >>
> >> >> > > >> thank you,
> >> >> > > >> Bill
> >> >> > > >>
> >> >> > >
> >> >> > >
> >> >> > >
> >>
> >>
> >>
>
>
>
June 9, 2005 10:23:52 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I appreciate everyone's insight, it was educational. I believe I finally
realize why my settings were being overwritten. Someone from another site
thought it was a good idea to link the default domain policy GPO to a buried
OU. My guess is that replication was from that OU was overwriting the
settings at the domain level and not until setting the no override did the
settings at the domain level overwrite the settings further down the
heirarchy.

thank you

"The AD Designer" wrote:

> Hi Cary
>
> I tend to read resorce kits and they provide with engine information as
> opposed to administration information at a higher level.
>
> Ps I was right in saying 500,000 (largest Ad project on the UK) and 18,000
> user projects.
>
> Yours
> The AD Architect
>
> "Cary Shultz [A.D. MVP]" wrote:
>
> > I was going to add another post to this thread last night but was simply too
> > tired ( with a little little one and another on the way that happens! Momma
> > is really tired so Poppa has a lot of stuff to do - in addition to what he
> > already does......).
> >
> > Did some thinking about your idea of using the Default Domain Controller
> > Policy for setting the password policy. And my hard-headedness on using the
> > Domain Security Policy ( or Default Domain Policy ).
> >
> > You are correct that the password is really a computer thing ( while most
> > people without thinking would tell you that it is a user thing! ) and that -
> > by setting it at the DDCP - you are really telling the Domain Controllers
> > what type of password they will accept ( and, by definition, what they will
> > not accept ).
> >
> > In WIN2000 I am not sure that I would use the DDCP for this. I did look
> > this up in a couple of books that I have sitting on the shelves ( and I was
> > glad to do that....they were getting really dusty! ). Nowhere could I find
> > anything about using the DDCP for doing this. Now, that does not mean that
> > you can not! If you are that adamant that you have successfully done this
> > using the DDCP then who am I to tell you that you have not! I believe you
> > on this. Even if it were 50 users and 18 users ( and not 500,000 and
> > 18,000 = sounds like something that Joe R would be doing! ). Now, the
> > interesting thing comes with WIN2003. I did a google of the 'Domain
> > Security Policy' and there is a link ( at the top of the results page ) with
> > the following:
> >
> > http://support.microsoft.com/kb/q221930/
> >
> > And by using 'password policy' you get the following ( both WIN2000 and
> > WIN2003 ):
> >
> > http://www.tacktech.com/display.cfm?ttid=354
> > http://windows.about.com/od/security/l/aa000910a.htm
> > http://www.microsoft.com/technet/prodtechnol/windowsser...
> >
> > These would seem to suggest that you would indeed set the password policy
> > ( and a few other things ) at the Domain Security Policy. The two books
> > that I referenced suggested this as well.
> >
> > However, for WIN2003 things look a little differently!
> >
> > I can not find the page on the Microsoft web site but there were clearly two
> > options: the Default Domain Policy -OR- the Default Domain Controller
> > Policy.
> >
> > So, I am going to have to play with this a little bit.
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24012
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
> > news:2717D867-C616-4A4E-B32C-1597E4FEC574@microsoft.com...
> > > Cary
> > >
> > > You are correct in sating the the default domain policy should be used for
> > > setting password policies. However Password policies are set on computer
> > > configuration part of the policy. This means that when a computer which is
> > > joined to the domain it will get this policy regardless of whether the
> > > user
> > > is logging onto the domain or logging on locally. This is why when a
> > > system
> > > is booting up and the LSASS service (LSASS.exe,LSASS.DLL) starts it
> > > applied
> > > policies from the domain in which it is joined to. This information can be
> > > found in the Windows 2003 internals book page 489 security.
> > >
> > > Regards
> > >
> > >
> > > "Cary Shultz [A.D. MVP]" wrote:
> > >
> > >> The AD Designer,
> > >>
> > >> Again, I would disagree with setting the password policy on the Default
> > >> Domain Controller Policy. It should be set in the Domain Security
> > >> Policy.
> > >>
> > >> And setting a password policy at the domain level ( which is what we are
> > >> doing with the Domain Security Policy ) will not affect users logging in
> > >> locally on the machines ( assuming that they are using a local user
> > >> account
> > >> and not the Domain user account object ). The only way to set a password
> > >> policy to affect the local user accounts is to create a GPO at the OU
> > >> level,
> > >> linking it to the OU that contains the computer account objects. Doing
> > >> so
> > >> will not affect users logging on with the Domain user account object but
> > >> will affect users logging on with local user accounts.
> > >>
> > >> Sorry, I am just not sure from where you have your information?
> > >>
> > >> --
> > >> Cary W. Shultz
> > >> Roanoke, VA 24012
> > >> Microsoft Active Directory MVP
> > >>
> > >> http://www.activedirectory-win2000.com
> > >> http://www.grouppolicy-win2000.com
> > >>
> > >>
> > >>
> > >> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
> > >> message
> > >> news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
> > >> > Hi bill
> > >> >
> > >> > It will have more than just one even if you only have a domain policy
> > >> > set.
> > >> > Policies in general follow the following order. and each is inherited
> > >> > from
> > >> > above. if i set a policy on site, then change the same setting on
> > >> > domain
> > >> > the
> > >> > domain policy is in effect(thus over written).
> > >> >
> > >> > local
> > >> > site
> > >> > domain
> > >> > ou
> > >> >
> > >> > I just finnished two huge projects (one have 500,000 nodes and another
> > >> > 18,000)where the password policies were set on the domain controllers
> > >> > policy
> > >> > and it worked as on the tin. setting a policy domin wide would impact
> > >> > users
> > >> > who have computers in a domain but log in locally to a pc. Remember
> > >> > password
> > >> > policy is on the computer object not the user. set the password policy
> > >> > on
> > >> > the
> > >> > domain controllers policy this ensures all AD user objects are effected
> > >> > by
> > >> > the policy.
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > "Bill" wrote:
> > >> >
> > >> >> gpresult tells me my user account is receiving settings from the
> > >> >> default
> > >> >> domain policy, but it doesn't tell me why my default domain policy,
> > >> >> directly
> > >> >> beneath the domain OU, is being overwritten.
> > >> >>
> > >> >>
> > >> >>
> > >> >> "The AD Designer" wrote:
> > >> >>
> > >> >> > I dont think that there is a "domain securiy policy" available..
> > >> >> >
> > >> >> > As for where the policy is coming from you will need to run
> > >> >> > gpresult.
> > >> >> >
> > >> >> >
> > >> >> > "Cary Shultz [A.D. MVP]" wrote:
> > >> >> >
> > >> >> > > The AD Designer,
> > >> >> > >
> > >> >> > > Not sure that I agree with this. I have always set Password
> > >> >> > > Policies
> > >> >> > > in the
> > >> >> > > 'Domain Security Policy'.
> > >> >> > >
> > >> >> > > --
> > >> >> > > Cary W. Shultz
> > >> >> > > Roanoke, VA 24012
> > >> >> > > Microsoft Active Directory MVP
> > >> >> > >
> > >> >> > > http://www.activedirectory-win2000.com
> > >> >> > > http://www.grouppolicy-win2000.com
> > >> >> > >
> > >> >> > >
> > >> >> > >
> > >> >> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote
> > >> >> > > in
> > >> >> > > message
> > >> >> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
> > >> >> > > > Bill
> > >> >> > > >
> > >> >> > > > password policy should only be set on your default domain
> > >> >> > > > controllers
> > >> >> > > > policy
> > >> >> > > > not you default domain policy.
> > >> >> > > >
> > >> >> > > > Regards
> > >> >> > > >
> > >> >> > > > "Bill" wrote:
> > >> >> > > >
> > >> >> > > >> My default domain policy's computer settings, (min password
> > >> >> > > >> length,
> > >> >> > > >> lockout
> > >> >> > > >> duration, etc.) kept being set back to their old settings a
> > >> >> > > >> few
> > >> >> > > >> minutes
> > >> >> > > >> after modifying them. It wasn't until I checked the enforced
> > >> >> > > >> checkbox on
> > >> >> > > >> the
> > >> >> > > >> gpo that the default domain policy computer settings remained
> > >> >> > > >> changed
> > >> >> > > >> permanently. Strangely enough, the computer portion of the GPO
> > >> >> > > >> remained
> > >> >> > > >> unchanged, the login banner. I don't understand why checking
> > >> >> > > >> the
> > >> >> > > >> enforced,
> > >> >> > > >> no override, box fixed the problem, or why it was a problem to
> > >> >> > > >> begin
> > >> >> > > >> with. I
> > >> >> > > >> also recently experienced the same problem, and solution, at a
> > >> >> > > >> bottom
> > >> >> > > >> level
> > >> >> > > >> OU policy in the computer settings of a GPO.
> > >> >> > > >>
> > >> >> > > >> thank you,
> > >> >> > > >> Bill
> > >> >> > > >>
> > >> >> > >
> > >> >> > >
> > >> >> > >
> > >>
> > >>
> > >>
> >
> >
> >
Anonymous
June 9, 2005 2:12:42 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The Resource Kits are really good! And please do not think that I was
challenging your numbers. Gonna play with this for a little bit! I am
always willing to learn a different approach to things, and if that
'different' approach is better than the 'prescribed' way then so much the
better!

Also not too proud to admit when I am wrong! And to give credit where
credit is due.

Playing in the lab right now to see what happens!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in message
news:9A2CF462-A31A-4505-916C-C41462B71E8B@microsoft.com...
> Hi Cary
>
> I tend to read resorce kits and they provide with engine information as
> opposed to administration information at a higher level.
>
> Ps I was right in saying 500,000 (largest Ad project on the UK) and 18,000
> user projects.
>
> Yours
> The AD Architect
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> I was going to add another post to this thread last night but was simply
>> too
>> tired ( with a little little one and another on the way that happens!
>> Momma
>> is really tired so Poppa has a lot of stuff to do - in addition to what
>> he
>> already does......).
>>
>> Did some thinking about your idea of using the Default Domain Controller
>> Policy for setting the password policy. And my hard-headedness on using
>> the
>> Domain Security Policy ( or Default Domain Policy ).
>>
>> You are correct that the password is really a computer thing ( while most
>> people without thinking would tell you that it is a user thing! ) and
>> that -
>> by setting it at the DDCP - you are really telling the Domain Controllers
>> what type of password they will accept ( and, by definition, what they
>> will
>> not accept ).
>>
>> In WIN2000 I am not sure that I would use the DDCP for this. I did look
>> this up in a couple of books that I have sitting on the shelves ( and I
>> was
>> glad to do that....they were getting really dusty! ). Nowhere could I
>> find
>> anything about using the DDCP for doing this. Now, that does not mean
>> that
>> you can not! If you are that adamant that you have successfully done
>> this
>> using the DDCP then who am I to tell you that you have not! I believe
>> you
>> on this. Even if it were 50 users and 18 users ( and not 500,000 and
>> 18,000 = sounds like something that Joe R would be doing! ). Now, the
>> interesting thing comes with WIN2003. I did a google of the 'Domain
>> Security Policy' and there is a link ( at the top of the results page )
>> with
>> the following:
>>
>> http://support.microsoft.com/kb/q221930/
>>
>> And by using 'password policy' you get the following ( both WIN2000 and
>> WIN2003 ):
>>
>> http://www.tacktech.com/display.cfm?ttid=354
>> http://windows.about.com/od/security/l/aa000910a.htm
>> http://www.microsoft.com/technet/prodtechnol/windowsser...
>>
>> These would seem to suggest that you would indeed set the password policy
>> ( and a few other things ) at the Domain Security Policy. The two books
>> that I referenced suggested this as well.
>>
>> However, for WIN2003 things look a little differently!
>>
>> I can not find the page on the Microsoft web site but there were clearly
>> two
>> options: the Default Domain Policy -OR- the Default Domain Controller
>> Policy.
>>
>> So, I am going to have to play with this a little bit.
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
>> message
>> news:2717D867-C616-4A4E-B32C-1597E4FEC574@microsoft.com...
>> > Cary
>> >
>> > You are correct in sating the the default domain policy should be used
>> > for
>> > setting password policies. However Password policies are set on
>> > computer
>> > configuration part of the policy. This means that when a computer which
>> > is
>> > joined to the domain it will get this policy regardless of whether the
>> > user
>> > is logging onto the domain or logging on locally. This is why when a
>> > system
>> > is booting up and the LSASS service (LSASS.exe,LSASS.DLL) starts it
>> > applied
>> > policies from the domain in which it is joined to. This information can
>> > be
>> > found in the Windows 2003 internals book page 489 security.
>> >
>> > Regards
>> >
>> >
>> > "Cary Shultz [A.D. MVP]" wrote:
>> >
>> >> The AD Designer,
>> >>
>> >> Again, I would disagree with setting the password policy on the
>> >> Default
>> >> Domain Controller Policy. It should be set in the Domain Security
>> >> Policy.
>> >>
>> >> And setting a password policy at the domain level ( which is what we
>> >> are
>> >> doing with the Domain Security Policy ) will not affect users logging
>> >> in
>> >> locally on the machines ( assuming that they are using a local user
>> >> account
>> >> and not the Domain user account object ). The only way to set a
>> >> password
>> >> policy to affect the local user accounts is to create a GPO at the OU
>> >> level,
>> >> linking it to the OU that contains the computer account objects.
>> >> Doing
>> >> so
>> >> will not affect users logging on with the Domain user account object
>> >> but
>> >> will affect users logging on with local user accounts.
>> >>
>> >> Sorry, I am just not sure from where you have your information?
>> >>
>> >> --
>> >> Cary W. Shultz
>> >> Roanoke, VA 24012
>> >> Microsoft Active Directory MVP
>> >>
>> >> http://www.activedirectory-win2000.com
>> >> http://www.grouppolicy-win2000.com
>> >>
>> >>
>> >>
>> >> "The AD Designer" <TheADDesigner@discussions.microsoft.com> wrote in
>> >> message
>> >> news:F4B2EC41-2925-4784-8BCA-9B096C8C76B7@microsoft.com...
>> >> > Hi bill
>> >> >
>> >> > It will have more than just one even if you only have a domain
>> >> > policy
>> >> > set.
>> >> > Policies in general follow the following order. and each is
>> >> > inherited
>> >> > from
>> >> > above. if i set a policy on site, then change the same setting on
>> >> > domain
>> >> > the
>> >> > domain policy is in effect(thus over written).
>> >> >
>> >> > local
>> >> > site
>> >> > domain
>> >> > ou
>> >> >
>> >> > I just finnished two huge projects (one have 500,000 nodes and
>> >> > another
>> >> > 18,000)where the password policies were set on the domain
>> >> > controllers
>> >> > policy
>> >> > and it worked as on the tin. setting a policy domin wide would
>> >> > impact
>> >> > users
>> >> > who have computers in a domain but log in locally to a pc. Remember
>> >> > password
>> >> > policy is on the computer object not the user. set the password
>> >> > policy
>> >> > on
>> >> > the
>> >> > domain controllers policy this ensures all AD user objects are
>> >> > effected
>> >> > by
>> >> > the policy.
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > "Bill" wrote:
>> >> >
>> >> >> gpresult tells me my user account is receiving settings from the
>> >> >> default
>> >> >> domain policy, but it doesn't tell me why my default domain policy,
>> >> >> directly
>> >> >> beneath the domain OU, is being overwritten.
>> >> >>
>> >> >>
>> >> >>
>> >> >> "The AD Designer" wrote:
>> >> >>
>> >> >> > I dont think that there is a "domain securiy policy" available..
>> >> >> >
>> >> >> > As for where the policy is coming from you will need to run
>> >> >> > gpresult.
>> >> >> >
>> >> >> >
>> >> >> > "Cary Shultz [A.D. MVP]" wrote:
>> >> >> >
>> >> >> > > The AD Designer,
>> >> >> > >
>> >> >> > > Not sure that I agree with this. I have always set Password
>> >> >> > > Policies
>> >> >> > > in the
>> >> >> > > 'Domain Security Policy'.
>> >> >> > >
>> >> >> > > --
>> >> >> > > Cary W. Shultz
>> >> >> > > Roanoke, VA 24012
>> >> >> > > Microsoft Active Directory MVP
>> >> >> > >
>> >> >> > > http://www.activedirectory-win2000.com
>> >> >> > > http://www.grouppolicy-win2000.com
>> >> >> > >
>> >> >> > >
>> >> >> > >
>> >> >> > > "The AD Designer" <TheADDesigner@discussions.microsoft.com>
>> >> >> > > wrote
>> >> >> > > in
>> >> >> > > message
>> >> >> > > news:3C807252-34DF-425D-AB17-5B0CC0A1A9CA@microsoft.com...
>> >> >> > > > Bill
>> >> >> > > >
>> >> >> > > > password policy should only be set on your default domain
>> >> >> > > > controllers
>> >> >> > > > policy
>> >> >> > > > not you default domain policy.
>> >> >> > > >
>> >> >> > > > Regards
>> >> >> > > >
>> >> >> > > > "Bill" wrote:
>> >> >> > > >
>> >> >> > > >> My default domain policy's computer settings, (min password
>> >> >> > > >> length,
>> >> >> > > >> lockout
>> >> >> > > >> duration, etc.) kept being set back to their old settings a
>> >> >> > > >> few
>> >> >> > > >> minutes
>> >> >> > > >> after modifying them. It wasn't until I checked the
>> >> >> > > >> enforced
>> >> >> > > >> checkbox on
>> >> >> > > >> the
>> >> >> > > >> gpo that the default domain policy computer settings
>> >> >> > > >> remained
>> >> >> > > >> changed
>> >> >> > > >> permanently. Strangely enough, the computer portion of the
>> >> >> > > >> GPO
>> >> >> > > >> remained
>> >> >> > > >> unchanged, the login banner. I don't understand why
>> >> >> > > >> checking
>> >> >> > > >> the
>> >> >> > > >> enforced,
>> >> >> > > >> no override, box fixed the problem, or why it was a problem
>> >> >> > > >> to
>> >> >> > > >> begin
>> >> >> > > >> with. I
>> >> >> > > >> also recently experienced the same problem, and solution, at
>> >> >> > > >> a
>> >> >> > > >> bottom
>> >> >> > > >> level
>> >> >> > > >> OU policy in the computer settings of a GPO.
>> >> >> > > >>
>> >> >> > > >> thank you,
>> >> >> > > >> Bill
>> >> >> > > >>
>> >> >> > >
>> >> >> > >
>> >> >> > >
>> >>
>> >>
>> >>
>>
>>
>>
!