Tony, et. al. - I understand this to be the behavior (have observed it - yes, this is the way that it works), but would someone care to help me understand why you would NOT want local accounts subject to the same account restrictions that are placed on domain accounts?
>From a security perspective, this seems to be a bit strange, and an oxymoron, at least. Todd - what is your reasoning for wanting to do this? Remember, this is not a criticism - it's a quest for understanding. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray > Sent: Tuesday, January 28, 2003 2:36 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] GPO's and AD... > > > Yes, I have tested this too and what you say is correct. One > thing you might want to bear in mind is that it is not > necessary to set Block Inheritance on the OU in question. > You can create a new GPO with different Account Policy > settings and link that GPO to the OU. The new settings will > apply to *local* accounts for any computers in that OU. > Domain accounts will be unaffected. > > The reason this works is to do with GPO processing order. > OU-level GPOs are applied after domain-level GPOs. Because > of this, OU level GPOs take priority in any setting conflict. > > The advantage of using a GPO over Block Inheritance is that > it allows you to be selective in what you apply. Block > Inheritance is all-or-nothing. > > Tony > ---------- Original Message ---------------------------------- > From: "Myrick, Todd (NIH/CIT)" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Mon, 27 Jan 2003 14:02:53 -0500 > > We started to do some testing in our LAB to confirm a > behavior we witnessed on Workstations and Servers in a AD > domain. What we wanted to confirm is that if you set a > domain wide account policy, that the policy will affect not > only the AD database for password and account standards, but > workstations and servers local SAM databases as well. Using > the Block Inheritance policy allows you to block the > inheritance on computers that are in OU's with the policy > enforced it appears. What we want to avoid is setting > account policies on Local SAM databases and causing local > accounts passwords to expire etc. > > Do any of you have feedback? > > Toddler > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
