Re: Password policy in domain 2003

Dobromir stated correctly that prior to Windows 2008 domains
there is only one account and password policy for domain accounts.
If one sets these at a different level (not at domain level) such as
your case on an OU, then the account and password policies will
have impact on machine local accounts defined on the computers
in that OU, which is why you were seeing what you report in the
GP results for machines in that OU.

Roger

"?????.?" <@discussions.microsoft.com> wrote in message
news:450C94D5-9E3F-4637-AA0F-815985FF4022@xxxxxxxxxxxxxxxx
Hi
I didn't anderstand your answer, can U pleas explain broadly, the password
policy
is on the computer section, when u wrote " For domain accounts, the domain
level password policy still applies", the computer object account are
domain
accounts, so what did u mean?

Lior

"Dobromir Todorov" wrote:

You can - but for accounts that reside in the local SAM databases of
computers in that OU. You will certainly notice that it only applies to
computers, and not to users. For domain accounts, the domain level
password
policy still applies.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"?????.?" <@discussions.microsoft.com> wrote in message
news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@xxxxxxxxxxxxxxxx
Hi

As far as I know there can be only one password policy.
I configured the main GPO in the root for specific password policy, I
have
an OU with blocked inheritance is checked, and I created a new gpo and
linked
it to this OU, this gpo have a diffrent set of password policy, I run
the
RSOP on the server under that OU, and I got the new set of password
policy
that is linked to this OU.
So, Can I use a diffrent password policy in diffrent OU's ?
or, I missing somthing?

thanks

Lior






.

Relevant Pages

  • Re: Where to set the domain password policy up?
    ... Account Policies applied to Domain Controllers apply to all accounts stored on domain controllers - that is, to all domain accounts in that domain! ... I'd say apply at the domain level still - to have consistent policy for domain accounts in the domain as well as for local accounts on all computers in that domain. ... > Is it better to set a domain password policy up at the domain node level ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password policy
    ... Password policies must be set at the domain level. ... Windows 2003 as well. ... > the password policy, and link it to domain controllers. ... > replicate to all domain computers. ...
    (microsoft.public.win2000.security)
  • Re: SOX compliant .. different password policy need for privil
    ... I am curious to know if once a forest and a root domain is created, ... have the password policy for the new ... match the existing domain, move all user accounts to the new domain, ... and keep the privileged accounts in the existing domain (after all ...
    (microsoft.public.win2000.active_directory)
  • Re: SOX compliant .. different password policy need for privil
    ... have the password policy for the new domain ... the password policy on the forest root domain to meet the SOX ... and force all administrative accounts to reset their passwords under the ... policy for all privilege accounts however our Win2003 forest consist ...
    (microsoft.public.win2000.active_directory)
  • Re: Where to set the domain password policy up?
    ... the properties of the domain node icon showing near the top ... > left of AD Users and Computers), or is it better to set up the domain ... > password policy up in properties of the Default Domain Controllers OU of ... Password policies can only be applied at the domain level. ...
    (microsoft.public.windows.server.active_directory)