RE: Account Lockout Policy
From: Alexander Suhovey (asuhovey_at_mtu-net.ru)
Date: 10/22/05
- Previous message: Manh Tho: "CFP: The First International Conference on Availability, Reliability and Security (AReS 2006), 20-22 April, 2006, Vienna, Austria"
- In reply to: Rasmus Rųnlev: "Re: Account Lockout Policy"
- Next in thread: Laura A. Robinson: "RE: Account Lockout Policy"
- Reply: Laura A. Robinson: "RE: Account Lockout Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Rasmus RŪnlev' <rr.it@cbs.dk>, <focus-ms@securityfocus.com> Date: Sun, 23 Oct 2005 00:05:04 +0400
> -----Original Message-----
> From: Rasmus RŪnlev [mailto:rr.it@cbs.dk]
> Sent: Friday, October 21, 2005 1:37 AM
> To: focus-ms@securityfocus.com
> Subject: Re: Account Lockout Policy
>
> Hi,
>
[..]
> It seems some of the responding
> people are knee-jerk-reacting to "you can only put into
> effect account policy from the domain level". This is correct
> in so far that "Domain Policy" will be applied towards Domain
> Controllers, sitting in the Domain Controllers OU.
Not quite. Having DCs in GPO scope is not how it works for
domain account policies. If you greate a GPO linked to Domain
Controllers OU, DCs will ignore account policies configured
in this GPO. Domain account policies must be configured
only at the root level of domain.
Here's a couple of quotes from [2]:
"Password policies, Kerberos, and some security options are
only merged from GPOs that are linked at the root level on
the domain. This is done to keep those settings synchronized
across all domain controllers in the domain."
"For domain accounts, only one account policy is permitted per
domain. This account policy must be specified in the Default
Domain Policy GPO, or in a new GPO that is linked to the root
of the domain and has precedence over the Default Domain
Policy GPO. [...] A domain controller always gets the account
policy from a GPO linked to the domain, by default from the
Default Domain Policy GPO."
1. "Where does your client's security policy actually come from?"
http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1108125,00.html
2. "How Security Settings Extension Works"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
ef/824b4758-9430-4633-8d8f-3dad0f2bf839.mspx
-- Al --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Manh Tho: "CFP: The First International Conference on Availability, Reliability and Security (AReS 2006), 20-22 April, 2006, Vienna, Austria"
- In reply to: Rasmus Rųnlev: "Re: Account Lockout Policy"
- Next in thread: Laura A. Robinson: "RE: Account Lockout Policy"
- Reply: Laura A. Robinson: "RE: Account Lockout Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
