Re: Basic GPO Question

From: Paul U. (anonymous_at_discussions.microsoft.com)
Date: 09/22/04


Date: Wed, 22 Sep 2004 12:17:07 -0700

Thanks for a quick Response Dan!

I'm pretty new to this Policy "Stuff" so I want to make
sure I understand your response.

Is my understanding correct in that I HAVE to apply my
password policy to the domain instead of the OU (or is
that just a "best practice" suggestion? I have only
created one password policy, but for the short term I
want to apply it just to one site (Geographic Region).
Eventually I will apply it to the entire domain.

Thanks for your help...
Paul U.

>-----Original Message-----

>Password policies are one to a domain.
>
>> I have created a new Policy which enables Password
>> Complexity requirements, and linked that new Policy to
>> the OU in AD which contains all of the Users and
>> Computers (including the Domain Controller computer)
for
>> that Regional Office.
>
>
>Password policies applied at the OU level ONLY take
affect when logging on
>locally to a computer in that OU.
>
>
>> We have several geographic regional offices, each with
>> their own DC. One of our Regional Offices wants to
>> implement Strong Passwords (aka Password Complexity
>> Requirements).
>
>
>In order to use a different password policy at this
site, you need to create
>a different domain at this site.
>
>
>The reasoning behind the password policy is that if you
have resources in a
>domain that are sensitive enough to require the more
complex password
>policy, you would want ALL accounts in that domain to be
more secure, not
>just a few. If you were able to apply the complex
password policy to a few
>users and not the entire domain a hacker would not have
to crack the complex
>password. They would crack one of the "simple" passwords.
>
>It's kind of like putting a dead bolt, a key lock, and a
chain lock on the
>front door and only a key lock on the back door of your
house. If there is
>something in your house worth securing with 3 different
locks, it's worth
>securing all the doors equally.
>
>hth
>DDS W 2k MVP MCSE
>
>"Paul U." <anonymous@discussions.microsoft.com> wrote in
message
>news:01ff01c4a0cb$1f91ca70$a301280a@phx.gbl...
>> I have what I would call a relatively simple task I
want
>> to accomplich but I can't seem to get it to work for
>> whatever reason.
>>
>> We have several geographic regional offices, each with
>> their own DC. One of our Regional Offices wants to
>> implement Strong Passwords (aka Password Complexity
>> Requirements).
>>
>> I have created a new Policy which enables Password
>> Complexity requirements, and linked that new Policy to
>> the OU in AD which contains all of the Users and
>> Computers (including the Domain Controller computer)
for
>> that Regional Office.
>>
>> When I open the "Local Security Policy" shortcut from
>> inside Administrative Tools on the DC of that Regional
>> Office, it still indicates that the Password Complexity
>> setting is undefined.
>>
>> Do I need to modify the Default Domain Policy or
Default
>> Domain Controller Policy to define copmplex password
>> requirements or is there another policy I need to
create
>> upstream?
>>
>> Any help would be much appreciated!
>>
>> Thanks - Paul U.
>
>
>.
>