Re: domain security policy

Not for the default domain policy
think about it, if there is one policy that mmust be applied to all, that is it.
This is article is more directed for custom GPOs

"Patrick" <Patrick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1849FAA7-CB2C-4082-992F-6AE04F8E8F2B@xxxxxxxxxxxxxxxx
Thanks Brian,

I found the following doc, is it safe to appy it to prevent "Administrator"
or some service a/c to appy those password policy.



"Brian Komar (MVP)" wrote:

Some answers inline.
"Patrick" <Patrick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> Thanks all your help.
> I want to setup a security policy on Windows 2000 domain environment to
> enforce general user to change their password every 3 months and > something
> like enforce password history, a/c lock out.
> I have the following question:
> - Is it applied to all domain users inclued "Domain Administrator"?

Yes, unless there is a specific account setting override
> - How can exclude some of users like "Domain Administrator" and some
> services a/c of above setting?

Yes, for the specific account, you can choose to prevent the requirement to
change passwords. But, if you set up complexity, etc, then it must be

> - If I set these policy in a new created OU level and move geneal user
> computer object to this OU (not server and DC object), am I right that > the
> policy will only apply to these computer.

Nope. Account policy is domain wide in a Windows 2000 (and 2003) domain. It
applies to *all* users in the domain.

> - What is the best prastice to apply these domain security setting?

Like you are doing.

> Thanks for your help.
> Patrick