That makes me feel better. It’s too
disruptive to my worldview when I think that Joe could be wrong <grin> From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Actually you still agree with me, you just
state it differently. :o) In that case, the domain policy for
the user accounts isn't being applied at all. I believe the idea of the OP sprang
form the idea to block a certain OU from having the policy impact the
users in that OU. This isn't possible because the policies are actually
initiating changes on the default NC of the domain controllers which are
applied to all users within the domain. I.E. When you set the lockout policy
for instance you impact a couple of attributes on the default NC, specifically F:\DEV\cpp\dosd>adfind -schema -f
ldapdisplayname=*lockout* -nodn -nolabel ldapdisplayname AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com lockOutObservationWindow 4 Objects returned From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Passo, Larry I used to agree with Joe on topic 2 until
I actually ran into a problem in my forest. I needed to make a change to the
password complexity setting on one domain and the change wasn’t
happening. The problem was that the “block inheritance” setting was
checked on the domain controllers OU. Once the checkbox was cleared, the new
account policy took affect. This was a Windows 2000 domain. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe 1. Correct 2. Yes and no. Account policies as applied
onto domain users can't be blocked. However you can block those policies from
being applied to the local policies of member machines. I don't think you need to set "user
can not change password", if the person doesn't want their password
changed, setting that only prevents them from doing it. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Hey
all! Can
you do me a quick favour and just confirm that I'm not going mad by agreeing
(or not, if I'm wrong) with these: 1)
you can only apply password policies (account policies to be exact, but this is
a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to
apply it at that level, not below. 2)
account policies cannot be blocked by using the "block inheritance"
option? Not too sure on this one, so could do with it clearing up. As a fail
safe I'm going to make sure I've got "password never expires" and
"user can not change password" options selected for those people who
I don't want their password changing just yet. Any
answers greatly received and advice always welcome. Cheers,
folks. For
Troup Bywaters + Anders Tim
Sutton
T:
+44 (0) 113 243 2241 Eastgate
House Groupshield 6.0 - Troup Bywaters & Anders |
Title: Few quick ones on password polices