GPO special case user account options and inheritance ques..

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I understand that account options like password policies, and account
lockouts, etc... configured at the domain level are the only user account
policies actually applied... meaning if a lower level container had a
conflicting policy configured it would not change the domain level one...

1) please correct me if I'm wrong with my statement above
2) if a lower level container has the Block Policy Inheritance option set
will the domain level user account policies still be applied? or would the
Block Policy Inheritance actually block them?

any info is appreciated... thanks.
4 answers Last reply
More about special case user account options inheritance ques
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    1) you are correct with your first statement. One piece of clarification.
    Account policy configuration applied at any level (OU) below the domain
    level will configure the 'local account policy settings'. This means if a
    computer account is the recipient of the account policy applied at a level
    other than the Default Domain Policy the settings will take affect when
    logging on locally.
    (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
    s/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prdp_
    log_csiq.asp)
    2) Block policy inheritance should not block the domain level account
    policies. I have not tested this but believe this to be true. I am curious
    if anyone finds different information.
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;255550) I think one
    main point here is that Domain Controllers behave a bit differently than
    other systems on the network. Since they share the NTDS.dit and there needs
    to be a mechanism to ensure consistency across these replicas.

    HTH

    Kevin
    AutoProf
    http://www.autoprof.com/policy

    "djc" <noone@nowhere.com> wrote in message
    news:ukthXzipEHA.3668@TK2MSFTNGP15.phx.gbl...
    > I understand that account options like password policies, and account
    > lockouts, etc... configured at the domain level are the only user account
    > policies actually applied... meaning if a lower level container had a
    > conflicting policy configured it would not change the domain level one...
    >
    > 1) please correct me if I'm wrong with my statement above
    > 2) if a lower level container has the Block Policy Inheritance option set
    > will the domain level user account policies still be applied? or would the
    > Block Policy Inheritance actually block them?
    >
    > any info is appreciated... thanks.
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks Kevin... I'll check out the links you provided as well. I have a
    related question though:
    When policy is applied to a computer account and effects the machines local
    policy when logged on to locally as you stated before in your
    clarification... does this local policy still take effect when the machine
    is not connected (physically unplugged) to the network?

    thanks agian.

    "Kevin Sullivan" <ksullivan@autoprof.com> wrote in message
    news:Oj$KLBkpEHA.536@TK2MSFTNGP11.phx.gbl...
    > 1) you are correct with your first statement. One piece of clarification.
    > Account policy configuration applied at any level (OU) below the domain
    > level will configure the 'local account policy settings'. This means if a
    > computer account is the recipient of the account policy applied at a level
    > other than the Default Domain Policy the settings will take affect when
    > logging on locally.
    >
    (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
    >
    s/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prdp_
    > log_csiq.asp)
    > 2) Block policy inheritance should not block the domain level account
    > policies. I have not tested this but believe this to be true. I am curious
    > if anyone finds different information.
    > (http://support.microsoft.com/default.aspx?scid=kb;en-us;255550) I think
    one
    > main point here is that Domain Controllers behave a bit differently than
    > other systems on the network. Since they share the NTDS.dit and there
    needs
    > to be a mechanism to ensure consistency across these replicas.
    >
    > HTH
    >
    > Kevin
    > AutoProf
    > http://www.autoprof.com/policy
    >
    > "djc" <noone@nowhere.com> wrote in message
    > news:ukthXzipEHA.3668@TK2MSFTNGP15.phx.gbl...
    > > I understand that account options like password policies, and account
    > > lockouts, etc... configured at the domain level are the only user
    account
    > > policies actually applied... meaning if a lower level container had a
    > > conflicting policy configured it would not change the domain level
    one...
    > >
    > > 1) please correct me if I'm wrong with my statement above
    > > 2) if a lower level container has the Block Policy Inheritance option
    set
    > > will the domain level user account policies still be applied? or would
    the
    > > Block Policy Inheritance actually block them?
    > >
    > > any info is appreciated... thanks.
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If it applied, it should always apply until changed, or the computer is
    dis-joined from the domain.

    Ken


    "djc" <noone@nowhere.com> wrote in message
    news:O7KbUblpEHA.2948@TK2MSFTNGP11.phx.gbl...
    > Thanks Kevin... I'll check out the links you provided as well. I have a
    > related question though:
    > When policy is applied to a computer account and effects the machines
    local
    > policy when logged on to locally as you stated before in your
    > clarification... does this local policy still take effect when the machine
    > is not connected (physically unplugged) to the network?
    >
    > thanks agian.
    >
    > "Kevin Sullivan" <ksullivan@autoprof.com> wrote in message
    > news:Oj$KLBkpEHA.536@TK2MSFTNGP11.phx.gbl...
    > > 1) you are correct with your first statement. One piece of
    clarification.
    > > Account policy configuration applied at any level (OU) below the domain
    > > level will configure the 'local account policy settings'. This means if
    a
    > > computer account is the recipient of the account policy applied at a
    level
    > > other than the Default Domain Policy the settings will take affect when
    > > logging on locally.
    > >
    >
    (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
    > >
    >
    s/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prdp_
    > > log_csiq.asp)
    > > 2) Block policy inheritance should not block the domain level account
    > > policies. I have not tested this but believe this to be true. I am
    curious
    > > if anyone finds different information.
    > > (http://support.microsoft.com/default.aspx?scid=kb;en-us;255550) I think
    > one
    > > main point here is that Domain Controllers behave a bit differently than
    > > other systems on the network. Since they share the NTDS.dit and there
    > needs
    > > to be a mechanism to ensure consistency across these replicas.
    > >
    > > HTH
    > >
    > > Kevin
    > > AutoProf
    > > http://www.autoprof.com/policy
    > >
    > > "djc" <noone@nowhere.com> wrote in message
    > > news:ukthXzipEHA.3668@TK2MSFTNGP15.phx.gbl...
    > > > I understand that account options like password policies, and account
    > > > lockouts, etc... configured at the domain level are the only user
    > account
    > > > policies actually applied... meaning if a lower level container had a
    > > > conflicting policy configured it would not change the domain level
    > one...
    > > >
    > > > 1) please correct me if I'm wrong with my statement above
    > > > 2) if a lower level container has the Block Policy Inheritance option
    > set
    > > > will the domain level user account policies still be applied? or would
    > the
    > > > Block Policy Inheritance actually block them?
    > > >
    > > > any info is appreciated... thanks.
    > > >
    > > >
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks!

    "Ken B" <none@microsoft.com> wrote in message
    news:ep4U%23ulpEHA.1576@TK2MSFTNGP12.phx.gbl...
    > If it applied, it should always apply until changed, or the computer is
    > dis-joined from the domain.
    >
    > Ken
    >
    >
    > "djc" <noone@nowhere.com> wrote in message
    > news:O7KbUblpEHA.2948@TK2MSFTNGP11.phx.gbl...
    > > Thanks Kevin... I'll check out the links you provided as well. I have a
    > > related question though:
    > > When policy is applied to a computer account and effects the machines
    > local
    > > policy when logged on to locally as you stated before in your
    > > clarification... does this local policy still take effect when the
    machine
    > > is not connected (physically unplugged) to the network?
    > >
    > > thanks agian.
    > >
    > > "Kevin Sullivan" <ksullivan@autoprof.com> wrote in message
    > > news:Oj$KLBkpEHA.536@TK2MSFTNGP11.phx.gbl...
    > > > 1) you are correct with your first statement. One piece of
    > clarification.
    > > > Account policy configuration applied at any level (OU) below the
    domain
    > > > level will configure the 'local account policy settings'. This means
    if
    > a
    > > > computer account is the recipient of the account policy applied at a
    > level
    > > > other than the Default Domain Policy the settings will take affect
    when
    > > > logging on locally.
    > > >
    > >
    >
    (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-u
    > > >
    > >
    >
    s/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prdp_
    > > > log_csiq.asp)
    > > > 2) Block policy inheritance should not block the domain level account
    > > > policies. I have not tested this but believe this to be true. I am
    > curious
    > > > if anyone finds different information.
    > > > (http://support.microsoft.com/default.aspx?scid=kb;en-us;255550) I
    think
    > > one
    > > > main point here is that Domain Controllers behave a bit differently
    than
    > > > other systems on the network. Since they share the NTDS.dit and there
    > > needs
    > > > to be a mechanism to ensure consistency across these replicas.
    > > >
    > > > HTH
    > > >
    > > > Kevin
    > > > AutoProf
    > > > http://www.autoprof.com/policy
    > > >
    > > > "djc" <noone@nowhere.com> wrote in message
    > > > news:ukthXzipEHA.3668@TK2MSFTNGP15.phx.gbl...
    > > > > I understand that account options like password policies, and
    account
    > > > > lockouts, etc... configured at the domain level are the only user
    > > account
    > > > > policies actually applied... meaning if a lower level container had
    a
    > > > > conflicting policy configured it would not change the domain level
    > > one...
    > > > >
    > > > > 1) please correct me if I'm wrong with my statement above
    > > > > 2) if a lower level container has the Block Policy Inheritance
    option
    > > set
    > > > > will the domain level user account policies still be applied? or
    would
    > > the
    > > > > Block Policy Inheritance actually block them?
    > > > >
    > > > > any info is appreciated... thanks.
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >
Ask a new question

Read More

Policy Domain Windows