RE: Bypassing Windows 2000 Domain Password settings

From: Skinner, Kit (KSkinner@sandstream.com)
Date: 05/15/02 

From: "Skinner, Kit" <KSkinner@sandstream.com>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Wed, 15 May 2002 21:12:39 +0100

Your answer is in the Status:
        "This behavior is by design."

If you have "Block Policy Inheritance" enabled on the Domain Controllers OU,
you have two options:
        1. Disable "Block Policy Inheritance" on the Domain Controllers
OU
                - or -
        2. Set a Group Policy in the Domain Controllers OU that mirrors
the settings you desire that exist in the Default Domain Policy.

However, your original message indicated an issue that some experienced with
it recognizing password history. This could relate specifically to the same
issue. But again, that is by design. If you tell it to block inheritance,
it will block inheritance. If you are blocking inheritance on the Domain
Controllers OU, then it is behaving as you told it to. If its not set to
block inheritance, then you have another issue entirely.

-K

-----Original Message-----
From: Gino Genari [mailto:mail226518@pop.net]
Sent: Monday, May 13, 2002 5:18 PM
To: focus-ms@securityfocus.com
Subject: Bypassing Windows 2000 Domain Password settings

Microsoft Q article
Q269236 Changes Are Not Applied When You Change the Password Policy explain
this issue.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

If policy blocking is enabled at the Domain Controllers OU, password
policies set in the Default Domain Policy are not propagated to any
machines.

The article remarks that SP1 is affected, but I have SP2 on these machines.

Relevant Pages

  • Re: Default Domain password policy issue
    ... The domain controllers are members of authenticated users. ... as for applied Group Policy objects for computer settings. ... Policy replication/version problems. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.windows.group_policy)
  • Re: Default Domain Policy Doesnt Apply
    ... Also to add that Group Policies are by default applied in this ... level will be overriden by any defined settings at the site, domain, OU ... account policies] are not being applied to the domain controllers since they ... > password and lockout policy can ony be set at the domain level for domain ...
    (microsoft.public.win2000.group_policy)
  • Re: USERENV error - Group Policy
    ... However, as per instructions, I've set these permissions correctly. ... policy object in AD. ... folder and GPO, returning the security to normal settings, did another GP ... -Domain controllers have the read and apply rights to the Domain Controllers ...
    (microsoft.public.windows.server.active_directory)
  • RE: USERENV error - Group Policy
    ... with no AD policies attached. ... policy to this container and do a gpupdate, I get the error on the server. ... Domain controllers have the read and apply rights to the Domain Controllers ... I've checked numerous settings as follows: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Minimum Password length GPO setting wont take effect
    ... Make all settings related to Accounts in the DC policy. ... you have the Domain Controllers OU Blocking Inheritance there is no purpose ... I am a little unclear then on what settings need to be in the GPO that is ...
    (microsoft.public.windows.group_policy)
Loading