Default Domain Policy

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I configured a password policy within the Default Domain Policy. This has
replicated out to my DC's and is now affecting some users that I don't want
the policy applied to.

Since this is a Domain Policy its applied prior to the OU policies so theres
no way for me to block it from the OU that contains the users I want
excluded. Correct?

If I wanted to apply a password policy to a specific OU I'd just have to
create a new GP with the password policy, apply it the proper OU and block
the inheritance for my other OU's. Correct?

Also is there a way to reset the account lockout policy after its been
configured by the default domain policy?

I've disabled my password and account lockout policies within the Default
Domain Policy but it appears that my seats are retaining the account lockout
settings. I've used GPresult.exe and it doesnt show the default domain policy
on the list of applied GP's. Any ideas how I can get around this?

Any help is greatly appreciated.


-- Rob
IT guy!
5 answers Last reply
More about default domain policy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Rob,

    Password (account) policy can only be applied on Default Domain Policy (only
    at domain level). If you need a different policy for different users you
    will need two domains.

    If you create a policy on OU it will only have an effect on local accounts
    (not domain account) on computers in the OU where policy is set...

    Account and local policies
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_sceacctpols.asp

    Policies are processed in this order. Local, Site, Domain and OU. If you set
    e.g. green background in domain policy and blue background in OU policy last
    policy (blue) would prevail. If OU policy does not define background then
    domain policy would be defining and the background would be green. Some of
    these options can be changed by using Block policy inheritance or No
    Override

    Group Policy
    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsec_pol_BLSA.asp

    I hope this helps,

    Mike

    "Rob" <Rob@discussions.microsoft.com> wrote in message
    news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
    > Hello,
    >
    > I configured a password policy within the Default Domain Policy. This has
    > replicated out to my DC's and is now affecting some users that I don't
    > want
    > the policy applied to.
    >
    > Since this is a Domain Policy its applied prior to the OU policies so
    > theres
    > no way for me to block it from the OU that contains the users I want
    > excluded. Correct?
    >
    > If I wanted to apply a password policy to a specific OU I'd just have to
    > create a new GP with the password policy, apply it the proper OU and block
    > the inheritance for my other OU's. Correct?
    >
    > Also is there a way to reset the account lockout policy after its been
    > configured by the default domain policy?
    >
    > I've disabled my password and account lockout policies within the Default
    > Domain Policy but it appears that my seats are retaining the account
    > lockout
    > settings. I've used GPresult.exe and it doesnt show the default domain
    > policy
    > on the list of applied GP's. Any ideas how I can get around this?
    >
    > Any help is greatly appreciated.
    >
    >
    >
    > -- Rob
    > IT guy!
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for the help.....

    So I want to pull the changes out that I made to my Default Domain Policy.
    I've set the settings in the Password & Accounts policy to 'not defined'. But
    it appears that the settings are still in effect even after a reboot of the
    client station. After multiple failures my accounts are still getting locked
    out, and new passwords have to meet the complexity requirements even though
    i've changed the Default Domain Policy back to 'not defined'.

    Any ideas?


    "Miha Pihler" wrote:

    > Rob,
    >
    > Password (account) policy can only be applied on Default Domain Policy (only
    > at domain level). If you need a different policy for different users you
    > will need two domains.
    >
    > If you create a policy on OU it will only have an effect on local accounts
    > (not domain account) on computers in the OU where policy is set...
    >
    > Account and local policies
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_sceacctpols.asp
    >
    > Policies are processed in this order. Local, Site, Domain and OU. If you set
    > e.g. green background in domain policy and blue background in OU policy last
    > policy (blue) would prevail. If OU policy does not define background then
    > domain policy would be defining and the background would be green. Some of
    > these options can be changed by using Block policy inheritance or No
    > Override
    >
    > Group Policy
    > http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsec_pol_BLSA.asp
    >
    > I hope this helps,
    >
    > Mike
    >
    > "Rob" <Rob@discussions.microsoft.com> wrote in message
    > news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
    > > Hello,
    > >
    > > I configured a password policy within the Default Domain Policy. This has
    > > replicated out to my DC's and is now affecting some users that I don't
    > > want
    > > the policy applied to.
    > >
    > > Since this is a Domain Policy its applied prior to the OU policies so
    > > theres
    > > no way for me to block it from the OU that contains the users I want
    > > excluded. Correct?
    > >
    > > If I wanted to apply a password policy to a specific OU I'd just have to
    > > create a new GP with the password policy, apply it the proper OU and block
    > > the inheritance for my other OU's. Correct?
    > >
    > > Also is there a way to reset the account lockout policy after its been
    > > configured by the default domain policy?
    > >
    > > I've disabled my password and account lockout policies within the Default
    > > Domain Policy but it appears that my seats are retaining the account
    > > lockout
    > > settings. I've used GPresult.exe and it doesnt show the default domain
    > > policy
    > > on the list of applied GP's. Any ideas how I can get around this?
    > >
    > > Any help is greatly appreciated.
    > >
    > >
    > >
    > > -- Rob
    > > IT guy!
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    If you don't want to require a complex passwords and you already enabled the
    policy don't set it to "not defined". Set the policy to "Disabled".

    Mike

    "Rob" <Rob@discussions.microsoft.com> wrote in message
    news:1CB90AEF-A58F-4E8A-8720-848138640745@microsoft.com...
    > Thanks for the help.....
    >
    > So I want to pull the changes out that I made to my Default Domain Policy.
    > I've set the settings in the Password & Accounts policy to 'not defined'.
    > But
    > it appears that the settings are still in effect even after a reboot of
    > the
    > client station. After multiple failures my accounts are still getting
    > locked
    > out, and new passwords have to meet the complexity requirements even
    > though
    > i've changed the Default Domain Policy back to 'not defined'.
    >
    > Any ideas?
    >
    >
    > "Miha Pihler" wrote:
    >
    >> Rob,
    >>
    >> Password (account) policy can only be applied on Default Domain Policy
    >> (only
    >> at domain level). If you need a different policy for different users you
    >> will need two domains.
    >>
    >> If you create a policy on OU it will only have an effect on local
    >> accounts
    >> (not domain account) on computers in the OU where policy is set...
    >>
    >> Account and local policies
    >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_sceacctpols.asp
    >>
    >> Policies are processed in this order. Local, Site, Domain and OU. If you
    >> set
    >> e.g. green background in domain policy and blue background in OU policy
    >> last
    >> policy (blue) would prevail. If OU policy does not define background then
    >> domain policy would be defining and the background would be green. Some
    >> of
    >> these options can be changed by using Block policy inheritance or No
    >> Override
    >>
    >> Group Policy
    >> http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsec_pol_BLSA.asp
    >>
    >> I hope this helps,
    >>
    >> Mike
    >>
    >> "Rob" <Rob@discussions.microsoft.com> wrote in message
    >> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
    >> > Hello,
    >> >
    >> > I configured a password policy within the Default Domain Policy. This
    >> > has
    >> > replicated out to my DC's and is now affecting some users that I don't
    >> > want
    >> > the policy applied to.
    >> >
    >> > Since this is a Domain Policy its applied prior to the OU policies so
    >> > theres
    >> > no way for me to block it from the OU that contains the users I want
    >> > excluded. Correct?
    >> >
    >> > If I wanted to apply a password policy to a specific OU I'd just have
    >> > to
    >> > create a new GP with the password policy, apply it the proper OU and
    >> > block
    >> > the inheritance for my other OU's. Correct?
    >> >
    >> > Also is there a way to reset the account lockout policy after its been
    >> > configured by the default domain policy?
    >> >
    >> > I've disabled my password and account lockout policies within the
    >> > Default
    >> > Domain Policy but it appears that my seats are retaining the account
    >> > lockout
    >> > settings. I've used GPresult.exe and it doesnt show the default domain
    >> > policy
    >> > on the list of applied GP's. Any ideas how I can get around this?
    >> >
    >> > Any help is greatly appreciated.
    >> >
    >> >
    >> >
    >> > -- Rob
    >> > IT guy!
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    OK, I disabled the settings in the Default Domain Policy and i'm still
    getting problems. So I loaded up the MMC Security Analyzer to see what
    settings were enabled on my DC. It looks like I need to get the DC to refresh
    its policy. I tried using "secedit /refreshpolicy machine_policy" but that
    didnt refresh the default Domain Policy for the DC. Is there a way to do this
    or do I have to reboot?

    So my theory here is the DC is authorizing user accounts so its settings
    take precedence and need to be changed in order to role back my password
    policy deployment.


    "Miha Pihler" wrote:

    > Hi,
    >
    > If you don't want to require a complex passwords and you already enabled the
    > policy don't set it to "not defined". Set the policy to "Disabled".
    >
    > Mike
    >
    > "Rob" <Rob@discussions.microsoft.com> wrote in message
    > news:1CB90AEF-A58F-4E8A-8720-848138640745@microsoft.com...
    > > Thanks for the help.....
    > >
    > > So I want to pull the changes out that I made to my Default Domain Policy.
    > > I've set the settings in the Password & Accounts policy to 'not defined'.
    > > But
    > > it appears that the settings are still in effect even after a reboot of
    > > the
    > > client station. After multiple failures my accounts are still getting
    > > locked
    > > out, and new passwords have to meet the complexity requirements even
    > > though
    > > i've changed the Default Domain Policy back to 'not defined'.
    > >
    > > Any ideas?
    > >
    > >
    > > "Miha Pihler" wrote:
    > >
    > >> Rob,
    > >>
    > >> Password (account) policy can only be applied on Default Domain Policy
    > >> (only
    > >> at domain level). If you need a different policy for different users you
    > >> will need two domains.
    > >>
    > >> If you create a policy on OU it will only have an effect on local
    > >> accounts
    > >> (not domain account) on computers in the OU where policy is set...
    > >>
    > >> Account and local policies
    > >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_sceacctpols.asp
    > >>
    > >> Policies are processed in this order. Local, Site, Domain and OU. If you
    > >> set
    > >> e.g. green background in domain policy and blue background in OU policy
    > >> last
    > >> policy (blue) would prevail. If OU policy does not define background then
    > >> domain policy would be defining and the background would be green. Some
    > >> of
    > >> these options can be changed by using Block policy inheritance or No
    > >> Override
    > >>
    > >> Group Policy
    > >> http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsec_pol_BLSA.asp
    > >>
    > >> I hope this helps,
    > >>
    > >> Mike
    > >>
    > >> "Rob" <Rob@discussions.microsoft.com> wrote in message
    > >> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
    > >> > Hello,
    > >> >
    > >> > I configured a password policy within the Default Domain Policy. This
    > >> > has
    > >> > replicated out to my DC's and is now affecting some users that I don't
    > >> > want
    > >> > the policy applied to.
    > >> >
    > >> > Since this is a Domain Policy its applied prior to the OU policies so
    > >> > theres
    > >> > no way for me to block it from the OU that contains the users I want
    > >> > excluded. Correct?
    > >> >
    > >> > If I wanted to apply a password policy to a specific OU I'd just have
    > >> > to
    > >> > create a new GP with the password policy, apply it the proper OU and
    > >> > block
    > >> > the inheritance for my other OU's. Correct?
    > >> >
    > >> > Also is there a way to reset the account lockout policy after its been
    > >> > configured by the default domain policy?
    > >> >
    > >> > I've disabled my password and account lockout policies within the
    > >> > Default
    > >> > Domain Policy but it appears that my seats are retaining the account
    > >> > lockout
    > >> > settings. I've used GPresult.exe and it doesnt show the default domain
    > >> > policy
    > >> > on the list of applied GP's. Any ideas how I can get around this?
    > >> >
    > >> > Any help is greatly appreciated.
    > >> >
    > >> >
    > >> >
    > >> > -- Rob
    > >> > IT guy!
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Miha,

    Just wanted to say thanks I finally worked this out.

    I had to create and apply a new security template and use the mmc security
    analyzer snapin to apply it to the DC's on my network. This reset the
    Password and Account lockout policies hence reversing my problem. Thanks for
    all your help I learned alot. -Rob

    "Miha Pihler" wrote:

    > Hi,
    >
    > If you don't want to require a complex passwords and you already enabled the
    > policy don't set it to "not defined". Set the policy to "Disabled".
    >
    > Mike
    >
    > "Rob" <Rob@discussions.microsoft.com> wrote in message
    > news:1CB90AEF-A58F-4E8A-8720-848138640745@microsoft.com...
    > > Thanks for the help.....
    > >
    > > So I want to pull the changes out that I made to my Default Domain Policy.
    > > I've set the settings in the Password & Accounts policy to 'not defined'.
    > > But
    > > it appears that the settings are still in effect even after a reboot of
    > > the
    > > client station. After multiple failures my accounts are still getting
    > > locked
    > > out, and new passwords have to meet the complexity requirements even
    > > though
    > > i've changed the Default Domain Policy back to 'not defined'.
    > >
    > > Any ideas?
    > >
    > >
    > > "Miha Pihler" wrote:
    > >
    > >> Rob,
    > >>
    > >> Password (account) policy can only be applied on Default Domain Policy
    > >> (only
    > >> at domain level). If you need a different policy for different users you
    > >> will need two domains.
    > >>
    > >> If you create a policy on OU it will only have an effect on local
    > >> accounts
    > >> (not domain account) on computers in the OU where policy is set...
    > >>
    > >> Account and local policies
    > >> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_sceacctpols.asp
    > >>
    > >> Policies are processed in this order. Local, Site, Domain and OU. If you
    > >> set
    > >> e.g. green background in domain policy and blue background in OU policy
    > >> last
    > >> policy (blue) would prevail. If OU policy does not define background then
    > >> domain policy would be defining and the background would be green. Some
    > >> of
    > >> these options can be changed by using Block policy inheritance or No
    > >> Override
    > >>
    > >> Group Policy
    > >> http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsec_pol_BLSA.asp
    > >>
    > >> I hope this helps,
    > >>
    > >> Mike
    > >>
    > >> "Rob" <Rob@discussions.microsoft.com> wrote in message
    > >> news:6EA49E2F-8E45-40E5-9654-23E7851BF705@microsoft.com...
    > >> > Hello,
    > >> >
    > >> > I configured a password policy within the Default Domain Policy. This
    > >> > has
    > >> > replicated out to my DC's and is now affecting some users that I don't
    > >> > want
    > >> > the policy applied to.
    > >> >
    > >> > Since this is a Domain Policy its applied prior to the OU policies so
    > >> > theres
    > >> > no way for me to block it from the OU that contains the users I want
    > >> > excluded. Correct?
    > >> >
    > >> > If I wanted to apply a password policy to a specific OU I'd just have
    > >> > to
    > >> > create a new GP with the password policy, apply it the proper OU and
    > >> > block
    > >> > the inheritance for my other OU's. Correct?
    > >> >
    > >> > Also is there a way to reset the account lockout policy after its been
    > >> > configured by the default domain policy?
    > >> >
    > >> > I've disabled my password and account lockout policies within the
    > >> > Default
    > >> > Domain Policy but it appears that my seats are retaining the account
    > >> > lockout
    > >> > settings. I've used GPresult.exe and it doesnt show the default domain
    > >> > policy
    > >> > on the list of applied GP's. Any ideas how I can get around this?
    > >> >
    > >> > Any help is greatly appreciated.
    > >> >
    > >> >
    > >> >
    > >> > -- Rob
    > >> > IT guy!
    > >>
    > >>
    > >>
    >
    >
    >
Ask a new question

Read More

Policy Default Domain Windows