Re: domain security policy

Not for the default domain policy
think about it, if there is one policy that mmust be applied to all, that is it.
This is article is more directed for custom GPOs

"Patrick" <Patrick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1849FAA7-CB2C-4082-992F-6AE04F8E8F2B@xxxxxxxxxxxxxxxx
Thanks Brian,

I found the following doc, is it safe to appy it to prevent "Administrator"
or some service a/c to appy those password policy.



"Brian Komar (MVP)" wrote:

Some answers inline.
"Patrick" <Patrick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> Thanks all your help.
> I want to setup a security policy on Windows 2000 domain environment to
> enforce general user to change their password every 3 months and > something
> like enforce password history, a/c lock out.
> I have the following question:
> - Is it applied to all domain users inclued "Domain Administrator"?

Yes, unless there is a specific account setting override
> - How can exclude some of users like "Domain Administrator" and some
> services a/c of above setting?

Yes, for the specific account, you can choose to prevent the requirement to
change passwords. But, if you set up complexity, etc, then it must be

> - If I set these policy in a new created OU level and move geneal user
> computer object to this OU (not server and DC object), am I right that > the
> policy will only apply to these computer.

Nope. Account policy is domain wide in a Windows 2000 (and 2003) domain. It
applies to *all* users in the domain.

> - What is the best prastice to apply these domain security setting?

Like you are doing.

> Thanks for your help.
> Patrick


Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
  • Re: GPO causing client security logs to fill?
    ... Unlink the Default Domain Controller Policy (As it was not previously ... settings to be applied on your client workstations. ... I modified the account ... So basically, the Account lockout threshold, account lockout ...
  • Re: GPO causing client security logs to fill?
    ... Possibly delete the Default Domoan Controller Policy (As it did not ... issues as it was about recoverying from a virus which appears to ... with client logon failures. ... I modified the account ...
  • Re: Password expires for no apparent reason
    ... policy that has set the values to what you see below meaning that users ... So I would define the password age and configure a value in there. ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ...