Sign in with
Sign up | Sign in
Your question

Default Domain Policy

Last response: in Windows 2000/NT
Share
December 14, 2004 2:41:10 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I configured a password policy within the Default Domain Policy. This has
replicated out to my DC's and is now affecting some users that I don't want
the policy applied to.

Since this is a Domain Policy its applied prior to the OU policies so theres
no way for me to block it from the OU that contains the users I want
excluded. Correct?

If I wanted to apply a password policy to a specific OU I'd just have to
create a new GP with the password policy, apply it the proper OU and block
the inheritance for my other OU's. Correct?

Also is there a way to reset the account lockout policy after its been
configured by the default domain policy?

I've disabled my password and account lockout policies within the Default
Domain Policy but it appears that my seats are retaining the account lockout
settings. I've used GPresult.exe and it doesnt show the default domain policy
on the list of applied GP's. Any ideas how I can get around this?

Any help is greatly appreciated.



-- Rob
IT guy!

More about : default domain policy

Anonymous
December 15, 2004 12:05:51 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Rob,

Password (account) policy can only be applied on Default Domain Policy (only
at domain level). If you need a different policy for different users you
will need two domains.

If you create a policy on OU it will only have an effect on local accounts
(not domain account) on computers in the OU where policy is set...

Account and local policies
http://www.microsoft.com/resources/documentation/Window...

Policies are processed in this order. Local, Site, Domain and OU. If you set
e.g. green background in domain policy and blue background in OU policy last
policy (blue) would prevail. If OU policy does not define background then
domain policy would be defining and the background would be green. Some of
these options can be changed by using Block policy inheritance or No
Override

Group Policy
http://www.microsoft.com/resources/documentation/Window...

I hope this helps,

Mike

"Rob" <Rob@discussions.microsoft.com> wrote in message
news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
> Hello,
>
> I configured a password policy within the Default Domain Policy. This has
> replicated out to my DC's and is now affecting some users that I don't
> want
> the policy applied to.
>
> Since this is a Domain Policy its applied prior to the OU policies so
> theres
> no way for me to block it from the OU that contains the users I want
> excluded. Correct?
>
> If I wanted to apply a password policy to a specific OU I'd just have to
> create a new GP with the password policy, apply it the proper OU and block
> the inheritance for my other OU's. Correct?
>
> Also is there a way to reset the account lockout policy after its been
> configured by the default domain policy?
>
> I've disabled my password and account lockout policies within the Default
> Domain Policy but it appears that my seats are retaining the account
> lockout
> settings. I've used GPresult.exe and it doesnt show the default domain
> policy
> on the list of applied GP's. Any ideas how I can get around this?
>
> Any help is greatly appreciated.
>
>
>
> -- Rob
> IT guy!
December 15, 2004 12:05:52 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the help.....

So I want to pull the changes out that I made to my Default Domain Policy.
I've set the settings in the Password & Accounts policy to 'not defined'. But
it appears that the settings are still in effect even after a reboot of the
client station. After multiple failures my accounts are still getting locked
out, and new passwords have to meet the complexity requirements even though
i've changed the Default Domain Policy back to 'not defined'.

Any ideas?


"Miha Pihler" wrote:

> Rob,
>
> Password (account) policy can only be applied on Default Domain Policy (only
> at domain level). If you need a different policy for different users you
> will need two domains.
>
> If you create a policy on OU it will only have an effect on local accounts
> (not domain account) on computers in the OU where policy is set...
>
> Account and local policies
> http://www.microsoft.com/resources/documentation/Window...
>
> Policies are processed in this order. Local, Site, Domain and OU. If you set
> e.g. green background in domain policy and blue background in OU policy last
> policy (blue) would prevail. If OU policy does not define background then
> domain policy would be defining and the background would be green. Some of
> these options can be changed by using Block policy inheritance or No
> Override
>
> Group Policy
> http://www.microsoft.com/resources/documentation/Window...
>
> I hope this helps,
>
> Mike
>
> "Rob" <Rob@discussions.microsoft.com> wrote in message
> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
> > Hello,
> >
> > I configured a password policy within the Default Domain Policy. This has
> > replicated out to my DC's and is now affecting some users that I don't
> > want
> > the policy applied to.
> >
> > Since this is a Domain Policy its applied prior to the OU policies so
> > theres
> > no way for me to block it from the OU that contains the users I want
> > excluded. Correct?
> >
> > If I wanted to apply a password policy to a specific OU I'd just have to
> > create a new GP with the password policy, apply it the proper OU and block
> > the inheritance for my other OU's. Correct?
> >
> > Also is there a way to reset the account lockout policy after its been
> > configured by the default domain policy?
> >
> > I've disabled my password and account lockout policies within the Default
> > Domain Policy but it appears that my seats are retaining the account
> > lockout
> > settings. I've used GPresult.exe and it doesnt show the default domain
> > policy
> > on the list of applied GP's. Any ideas how I can get around this?
> >
> > Any help is greatly appreciated.
> >
> >
> >
> > -- Rob
> > IT guy!
>
>
>
Related resources
Anonymous
December 15, 2004 1:51:59 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

If you don't want to require a complex passwords and you already enabled the
policy don't set it to "not defined". Set the policy to "Disabled".

Mike

"Rob" <Rob@discussions.microsoft.com> wrote in message
news:1CB90AEF-A58F-4E8A-8720-848138640745@microsoft.com...
> Thanks for the help.....
>
> So I want to pull the changes out that I made to my Default Domain Policy.
> I've set the settings in the Password & Accounts policy to 'not defined'.
> But
> it appears that the settings are still in effect even after a reboot of
> the
> client station. After multiple failures my accounts are still getting
> locked
> out, and new passwords have to meet the complexity requirements even
> though
> i've changed the Default Domain Policy back to 'not defined'.
>
> Any ideas?
>
>
> "Miha Pihler" wrote:
>
>> Rob,
>>
>> Password (account) policy can only be applied on Default Domain Policy
>> (only
>> at domain level). If you need a different policy for different users you
>> will need two domains.
>>
>> If you create a policy on OU it will only have an effect on local
>> accounts
>> (not domain account) on computers in the OU where policy is set...
>>
>> Account and local policies
>> http://www.microsoft.com/resources/documentation/Window...
>>
>> Policies are processed in this order. Local, Site, Domain and OU. If you
>> set
>> e.g. green background in domain policy and blue background in OU policy
>> last
>> policy (blue) would prevail. If OU policy does not define background then
>> domain policy would be defining and the background would be green. Some
>> of
>> these options can be changed by using Block policy inheritance or No
>> Override
>>
>> Group Policy
>> http://www.microsoft.com/resources/documentation/Window...
>>
>> I hope this helps,
>>
>> Mike
>>
>> "Rob" <Rob@discussions.microsoft.com> wrote in message
>> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
>> > Hello,
>> >
>> > I configured a password policy within the Default Domain Policy. This
>> > has
>> > replicated out to my DC's and is now affecting some users that I don't
>> > want
>> > the policy applied to.
>> >
>> > Since this is a Domain Policy its applied prior to the OU policies so
>> > theres
>> > no way for me to block it from the OU that contains the users I want
>> > excluded. Correct?
>> >
>> > If I wanted to apply a password policy to a specific OU I'd just have
>> > to
>> > create a new GP with the password policy, apply it the proper OU and
>> > block
>> > the inheritance for my other OU's. Correct?
>> >
>> > Also is there a way to reset the account lockout policy after its been
>> > configured by the default domain policy?
>> >
>> > I've disabled my password and account lockout policies within the
>> > Default
>> > Domain Policy but it appears that my seats are retaining the account
>> > lockout
>> > settings. I've used GPresult.exe and it doesnt show the default domain
>> > policy
>> > on the list of applied GP's. Any ideas how I can get around this?
>> >
>> > Any help is greatly appreciated.
>> >
>> >
>> >
>> > -- Rob
>> > IT guy!
>>
>>
>>
December 15, 2004 1:52:00 AM

Archived from groups: microsoft.public.win2000.security (More info?)

OK, I disabled the settings in the Default Domain Policy and i'm still
getting problems. So I loaded up the MMC Security Analyzer to see what
settings were enabled on my DC. It looks like I need to get the DC to refresh
its policy. I tried using "secedit /refreshpolicy machine_policy" but that
didnt refresh the default Domain Policy for the DC. Is there a way to do this
or do I have to reboot?

So my theory here is the DC is authorizing user accounts so its settings
take precedence and need to be changed in order to role back my password
policy deployment.


"Miha Pihler" wrote:

> Hi,
>
> If you don't want to require a complex passwords and you already enabled the
> policy don't set it to "not defined". Set the policy to "Disabled".
>
> Mike
>
> "Rob" <Rob@discussions.microsoft.com> wrote in message
> news:1CB90AEF-A58F-4E8A-8720-848138640745@microsoft.com...
> > Thanks for the help.....
> >
> > So I want to pull the changes out that I made to my Default Domain Policy.
> > I've set the settings in the Password & Accounts policy to 'not defined'.
> > But
> > it appears that the settings are still in effect even after a reboot of
> > the
> > client station. After multiple failures my accounts are still getting
> > locked
> > out, and new passwords have to meet the complexity requirements even
> > though
> > i've changed the Default Domain Policy back to 'not defined'.
> >
> > Any ideas?
> >
> >
> > "Miha Pihler" wrote:
> >
> >> Rob,
> >>
> >> Password (account) policy can only be applied on Default Domain Policy
> >> (only
> >> at domain level). If you need a different policy for different users you
> >> will need two domains.
> >>
> >> If you create a policy on OU it will only have an effect on local
> >> accounts
> >> (not domain account) on computers in the OU where policy is set...
> >>
> >> Account and local policies
> >> http://www.microsoft.com/resources/documentation/Window...
> >>
> >> Policies are processed in this order. Local, Site, Domain and OU. If you
> >> set
> >> e.g. green background in domain policy and blue background in OU policy
> >> last
> >> policy (blue) would prevail. If OU policy does not define background then
> >> domain policy would be defining and the background would be green. Some
> >> of
> >> these options can be changed by using Block policy inheritance or No
> >> Override
> >>
> >> Group Policy
> >> http://www.microsoft.com/resources/documentation/Window...
> >>
> >> I hope this helps,
> >>
> >> Mike
> >>
> >> "Rob" <Rob@discussions.microsoft.com> wrote in message
> >> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
> >> > Hello,
> >> >
> >> > I configured a password policy within the Default Domain Policy. This
> >> > has
> >> > replicated out to my DC's and is now affecting some users that I don't
> >> > want
> >> > the policy applied to.
> >> >
> >> > Since this is a Domain Policy its applied prior to the OU policies so
> >> > theres
> >> > no way for me to block it from the OU that contains the users I want
> >> > excluded. Correct?
> >> >
> >> > If I wanted to apply a password policy to a specific OU I'd just have
> >> > to
> >> > create a new GP with the password policy, apply it the proper OU and
> >> > block
> >> > the inheritance for my other OU's. Correct?
> >> >
> >> > Also is there a way to reset the account lockout policy after its been
> >> > configured by the default domain policy?
> >> >
> >> > I've disabled my password and account lockout policies within the
> >> > Default
> >> > Domain Policy but it appears that my seats are retaining the account
> >> > lockout
> >> > settings. I've used GPresult.exe and it doesnt show the default domain
> >> > policy
> >> > on the list of applied GP's. Any ideas how I can get around this?
> >> >
> >> > Any help is greatly appreciated.
> >> >
> >> >
> >> >
> >> > -- Rob
> >> > IT guy!
> >>
> >>
> >>
>
>
>
December 15, 2004 1:52:00 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Miha,

Just wanted to say thanks I finally worked this out.

I had to create and apply a new security template and use the mmc security
analyzer snapin to apply it to the DC's on my network. This reset the
Password and Account lockout policies hence reversing my problem. Thanks for
all your help I learned alot. -Rob

"Miha Pihler" wrote:

> Hi,
>
> If you don't want to require a complex passwords and you already enabled the
> policy don't set it to "not defined". Set the policy to "Disabled".
>
> Mike
>
> "Rob" <Rob@discussions.microsoft.com> wrote in message
> news:1CB90AEF-A58F-4E8A-8720-848138640745@microsoft.com...
> > Thanks for the help.....
> >
> > So I want to pull the changes out that I made to my Default Domain Policy.
> > I've set the settings in the Password & Accounts policy to 'not defined'.
> > But
> > it appears that the settings are still in effect even after a reboot of
> > the
> > client station. After multiple failures my accounts are still getting
> > locked
> > out, and new passwords have to meet the complexity requirements even
> > though
> > i've changed the Default Domain Policy back to 'not defined'.
> >
> > Any ideas?
> >
> >
> > "Miha Pihler" wrote:
> >
> >> Rob,
> >>
> >> Password (account) policy can only be applied on Default Domain Policy
> >> (only
> >> at domain level). If you need a different policy for different users you
> >> will need two domains.
> >>
> >> If you create a policy on OU it will only have an effect on local
> >> accounts
> >> (not domain account) on computers in the OU where policy is set...
> >>
> >> Account and local policies
> >> http://www.microsoft.com/resources/documentation/Window...
> >>
> >> Policies are processed in this order. Local, Site, Domain and OU. If you
> >> set
> >> e.g. green background in domain policy and blue background in OU policy
> >> last
> >> policy (blue) would prevail. If OU policy does not define background then
> >> domain policy would be defining and the background would be green. Some
> >> of
> >> these options can be changed by using Block policy inheritance or No
> >> Override
> >>
> >> Group Policy
> >> http://www.microsoft.com/resources/documentation/Window...
> >>
> >> I hope this helps,
> >>
> >> Mike
> >>
> >> "Rob" <Rob@discussions.microsoft.com> wrote in message
> >> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
> >> > Hello,
> >> >
> >> > I configured a password policy within the Default Domain Policy. This
> >> > has
> >> > replicated out to my DC's and is now affecting some users that I don't
> >> > want
> >> > the policy applied to.
> >> >
> >> > Since this is a Domain Policy its applied prior to the OU policies so
> >> > theres
> >> > no way for me to block it from the OU that contains the users I want
> >> > excluded. Correct?
> >> >
> >> > If I wanted to apply a password policy to a specific OU I'd just have
> >> > to
> >> > create a new GP with the password policy, apply it the proper OU and
> >> > block
> >> > the inheritance for my other OU's. Correct?
> >> >
> >> > Also is there a way to reset the account lockout policy after its been
> >> > configured by the default domain policy?
> >> >
> >> > I've disabled my password and account lockout policies within the
> >> > Default
> >> > Domain Policy but it appears that my seats are retaining the account
> >> > lockout
> >> > settings. I've used GPresult.exe and it doesnt show the default domain
> >> > policy
> >> > on the list of applied GP's. Any ideas how I can get around this?
> >> >
> >> > Any help is greatly appreciated.
> >> >
> >> >
> >> >
> >> > -- Rob
> >> > IT guy!
> >>
> >>
> >>
>
>
>
!