Yes, I have tested this too and what you say is correct. One thing you might want to bear in mind is that it is not necessary to set Block Inheritance on the OU in question. You can create a new GPO with different Account Policy settings and link that GPO to the OU. The new settings will apply to *local* accounts for any computers in that OU. Domain accounts will be unaffected.
The reason this works is to do with GPO processing order. OU-level GPOs are applied after domain-level GPOs. Because of this, OU level GPOs take priority in any setting conflict. The advantage of using a GPO over Block Inheritance is that it allows you to be selective in what you apply. Block Inheritance is all-or-nothing. Tony ---------- Original Message ---------------------------------- From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 27 Jan 2003 14:02:53 -0500 We started to do some testing in our LAB to confirm a behavior we witnessed on Workstations and Servers in a AD domain. What we wanted to confirm is that if you set a domain wide account policy, that the policy will affect not only the AD database for password and account standards, but workstations and servers local SAM databases as well. Using the Block Inheritance policy allows you to block the inheritance on computers that are in OU's with the policy enforced it appears. What we want to avoid is setting account policies on Local SAM databases and causing local accounts passwords to expire etc. Do any of you have feedback? Toddler List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
