I used to agree with Joe on topic 2 until
I actually ran into a problem in my forest. I needed to make a change to the password
complexity setting on one domain and the change wasn’t happening. The
problem was that the “block inheritance” setting was checked on the
domain controllers OU. Once the checkbox was cleared, the new account policy
took affect. This was a Windows 2000 domain. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe 1. Correct 2. Yes and no. Account policies as applied
onto domain users can't be blocked. However you can block those policies from
being applied to the local policies of member machines. I don't think you need to set "user
can not change password", if the person doesn't want their password
changed, setting that only prevents them from doing it. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Hey
all! Can
you do me a quick favour and just confirm that I'm not going mad by agreeing
(or not, if I'm wrong) with these: 1)
you can only apply password policies (account policies to be exact, but this is
a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to
apply it at that level, not below. 2)
account policies cannot be blocked by using the "block inheritance"
option? Not too sure on this one, so could do with it clearing up. As a fail
safe I'm going to make sure I've got "password never expires" and
"user can not change password" options selected for those people who
I don't want their password changing just yet. Any
answers greatly received and advice always welcome. Cheers,
folks. For
Troup Bywaters + Anders Tim
Sutton
T:
+44 (0) 113 243 2241 Eastgate
House Groupshield 6.0 - Troup Bywaters & Anders |
Title: Few quick ones on password polices
- RE: [ActiveDir] Few quick ones on password polices Passo, Larry