A policy to override the default domain policy?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Our default domain policy locks an account out after 5 incorrect attempts. I
have a web server with local usernames that frequently get locked out (I
dont know why users cant just copy and paste the passwords I send them...)

is it possible to create another domain policy that only applies to a single
machine - and which overrides the default domain policy? (If so, how would I
acheive that?)

Thanks,
Grant
5 answers Last reply
More about policy override default domain policy
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Nope, you would need to remove the machine from the domain and use local
    accounts. All domain accounts will use the domain password policy
    uniformly.

    N

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Any opinions or policies stated within are my own and do not necessarily
    constitute those of my employer. Use of included script samples are subject
    to the terms specified at http://www.microsoft.com/info/cpyright.htm


    "Grant" <gpsnett@hotmail.com> wrote in message
    news:ePQMJJeNFHA.1948@TK2MSFTNGP14.phx.gbl...
    > Our default domain policy locks an account out after 5 incorrect attempts.
    > I have a web server with local usernames that frequently get locked out (I
    > dont know why users cant just copy and paste the passwords I send them...)
    >
    > is it possible to create another domain policy that only applies to a
    > single machine - and which overrides the default domain policy? (If so,
    > how would I acheive that?)
    >
    > Thanks,
    > Grant
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Nick Finco [MSFT]" <nfinco@online.microsoft.com> said

    > Nope, you would need to remove the machine from the domain and use local
    > accounts. All domain accounts will use the domain password policy
    > uniformly.
    >

    If he's talking about IIS, wouldn't it be possible to login using machine
    \username instead of the domain username?

    --

    Andy.
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Yes, if he has an overriding GPO set at the OU level for the server that
    blocks the password policy he has set for his domain. This would only work
    for local accounts though and might also override other domain level
    settings he desires.

    N

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Any opinions or policies stated within are my own and do not necessarily
    constitute those of my employer. Use of included script samples are subject
    to the terms specified at http://www.microsoft.com/info/cpyright.htm


    "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    news:Xns962B9B69F5B5AAA12F32EDB83F@207.46.248.16...
    > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> said
    >
    >> Nope, you would need to remove the machine from the domain and use local
    >> accounts. All domain accounts will use the domain password policy
    >> uniformly.
    >>
    >
    > If he's talking about IIS, wouldn't it be possible to login using machine
    > \username instead of the domain username?
    >
    > --
    >
    > Andy.
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Ah ok so I can create an OU and place that machine in there with its own
    policy that overrides the global policy. Can I copy the global policy to the
    new OU and simply change the settings I dont want? That way I keep all the
    original settings and change the ones I dont need.


    "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
    news:%23yR4XGUOFHA.2748@TK2MSFTNGP09.phx.gbl...
    > Yes, if he has an overriding GPO set at the OU level for the server that
    > blocks the password policy he has set for his domain. This would only
    > work for local accounts though and might also override other domain level
    > settings he desires.
    >
    > N
    >
    > --
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights. Any opinions or policies stated within are my own and do not
    > necessarily constitute those of my employer. Use of included script
    > samples are subject to the terms specified at
    > http://www.microsoft.com/info/cpyright.htm
    >
    >
    > "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    > news:Xns962B9B69F5B5AAA12F32EDB83F@207.46.248.16...
    >> "Nick Finco [MSFT]" <nfinco@online.microsoft.com> said
    >>
    >>> Nope, you would need to remove the machine from the domain and use local
    >>> accounts. All domain accounts will use the domain password policy
    >>> uniformly.
    >>>
    >>
    >> If he's talking about IIS, wouldn't it be possible to login using machine
    >> \username instead of the domain username?
    >>
    >> --
    >>
    >> Andy.
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you're copying GPOs, you should look into using GPMC. I think it works
    against Win2k domains from XP workstations or 2k3 servers.

    N

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Any opinions or policies stated within are my own and do not necessarily
    constitute those of my employer. Use of included script samples are subject
    to the terms specified at http://www.microsoft.com/info/cpyright.htm


    "Grant" <gpsnett@hotmail.com> wrote in message
    news:eR52G%23BPFHA.2700@TK2MSFTNGP10.phx.gbl...
    > Ah ok so I can create an OU and place that machine in there with its own
    > policy that overrides the global policy. Can I copy the global policy to
    > the new OU and simply change the settings I dont want? That way I keep all
    > the original settings and change the ones I dont need.
    >
    >
    > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
    > news:%23yR4XGUOFHA.2748@TK2MSFTNGP09.phx.gbl...
    >> Yes, if he has an overriding GPO set at the OU level for the server that
    >> blocks the password policy he has set for his domain. This would only
    >> work for local accounts though and might also override other domain level
    >> settings he desires.
    >>
    >> N
    >>
    >> --
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights. Any opinions or policies stated within are my own and do not
    >> necessarily constitute those of my employer. Use of included script
    >> samples are subject to the terms specified at
    >> http://www.microsoft.com/info/cpyright.htm
    >>
    >>
    >> "Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
    >> news:Xns962B9B69F5B5AAA12F32EDB83F@207.46.248.16...
    >>> "Nick Finco [MSFT]" <nfinco@online.microsoft.com> said
    >>>
    >>>> Nope, you would need to remove the machine from the domain and use
    >>>> local
    >>>> accounts. All domain accounts will use the domain password policy
    >>>> uniformly.
    >>>>
    >>>
    >>> If he's talking about IIS, wouldn't it be possible to login using
    >>> machine
    >>> \username instead of the domain username?
    >>>
    >>> --
    >>>
    >>> Andy.
    >>
    >>
    >
    >
Ask a new question

Read More

Policy Default Domain Windows