Re: Domain vs Local Security Policy

From: Herb Martin (news_at_LearnQuick.com)
Date: 03/05/04 

Date: Fri, 5 Mar 2004 14:31:34 -0600

You guys (Steven and Paul) are correct but I believe the OP
may have been asking a slightly different question so don't take
my response below as being in disagreement with the last few
posts.

A machine CAN AVOID the entire AD policy set through a
registry setting. This is very poorly documented (almost as if
it is hidden) and it will probably take me some time to find again
but it exists -- my web server REFUSES the ISPs settings
because they are weaker than my own.

Now, this probably wouldn't stop the password stuff if logging onto
the domain (that was my thought before the others clearly stated it)
but for logging onto machine specific accounts that remains irrelevant.

If no one else can locate it, I suppose I will have to re-search for that
registry setting.... 

-- 
Herb Martin
"Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in
message news:MPG.1ab2a39d3e7a70b198989b@msnews.microsoft.com...
> In article <803201c402e6$67e28a90$a101280a@phx.gbl>, in the
> microsoft.public.win2000.security news group, Rich
> <anonymous@discussions.microsoft.com> says...
>
> > This is not true. You can create a separate OU with it's
> > own password policy and block the policy inheritance from
> > the parent.
> >
>
> No, you're wrong, and Steven is correct. To affect domain accounts, the
> _only_ place you can set account policy is at the domain level. Set it
> any where else and all you're affecting is accounts in the local SAM of
> any computers to which the GPO applies.
>
> -- 
> Paul Adare
> Moral indignation is jealousy with a halo.
> H. G. Wells, The Wife of Sir Isaac Harman

Relevant Pages

  • Re: Domain vs Local Security Policy
    ... > own password policy and block the policy inheritance from ... To affect domain accounts, the ... _only_ place you can set account policy is at the domain level. ...
    (microsoft.public.win2000.security)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Re: Password Policy Basics
    ... but assumed the POLICY would be applied to ALL ... so lcoal machines might start enforcing that policy on ... No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states. ... I was thinking of service accounts on the servers... ...
    (microsoft.public.windows.group_policy)
  • Re: Windows 2000 users accounts get locked out
    ... I have disabled my accounts lockout policy in my ... >account logon events enabled in Domain Security Policy ... and Domain Controller ...
    (microsoft.public.win2000.security)
  • Re: RSoP Lockout Account
    ... Account Policy, or more specifically any items within Computer ... *domain accounts* can ... account policies per domain, but again, I haven't seen that in writing yet. ... >>> I'm trying to aply a GPO to an OU that contains computers, ...
    (microsoft.public.win2000.group_policy)