Yea, that's the right way to do it Joe. Guy, I'm kinda surprised you actually saw that behavior. I was under the impression that password complexity was one of those account policies that was completely ignored by DCs unless its linked to a domain policy.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 15, 2004 5:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy I would think you could do this by simply linking another policy for the member machines at a lower OU level that still encompasses all of those machines. I know I did this for lockout policy once. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, March 15, 2004 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy Actually I did it once. This way you can enforce different password complexity requirements for domain accounts vs. machine local accounts by applying stricter password complexity to GPO that is linked to Domain Controllers OU. This is rather simple: in Default Domain Controller Security policy you block inheritance and define different password length/complexity then in default domain policy. Standalone computers will receive the security settings from default domain policy and DC from it's own. Of course you must watch out for other settings defined in the default domain GPO. Never found any use for this, but it was one of those nice-to-know things. Guy -- Smith & Wesson - the original point and click interface On Mon, 2004-03-15 at 07:56, joe wrote: > Yes they do. The default domain policy is where your domain security > policy is located at. > > What implications are there for blocking it... I am not sure, never tried... > Let us know. :o) > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John > Shukovsky Jr > Sent: Thursday, February 26, 2004 12:12 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Group Policy > > Do W2k domain controllers need to process default domain policy as > well as default dc policy? > If so and the DC's OU is set to block default domain policy what > implications will/can this have? > > thanks in advance. > > > > This E-mail, including any attachments, may be intended solely for the > personal and confidential use of the sender and recipient (s) named above. > This message may include advisory, consultative and/or deliberative > material and, as such, would be privileged and confidential and not a > public document. Any Information in this e-mail identifying a client > of the department of Human Services is confidential. If you have > received this e-mail in error, you must not review, transmit, convert > to hard copy, copy, use or disseminate this e-mail or any attachments > to it and you must delete this message. You are requested to notify > the sender by return e-mail. > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
