Darren, now I am puzzled... I would have sworn that what I have described once worked with W2K (if I am not mistaken, it was SP1), but
So I checked... 2 DCs in the test domain (W2K native): 1 W2K3 (holds all FSMOs) 1 W2K SP4 (GC) Test 1: On W2K3: 1) Defined Default Domain Policy with 6 chars password length. 2) Defined Default DC Policy with 8 chars length. 3) ReACL-ed the Default Domain Policy and denied it to Enterprise Domain Controllers 4) gpupdate + gpresult shows that default domain policy is not applied at DCs. 5) Trying to set user's password to 6 chars works (just as you have said) ==> Default DC password complexity settings are indeed ignored 6) Canceled the Deny for enterprise DCs on default domain policy + gpupdate + gpresult 7) Default Domain Policy (6 chars) is enforced (meanwhile everything as expected) Test 2 (things stop making sense): 1) Default domain Policy is configured not to define password complexity 2) W2K3 local machine policy is set to 5 chars 3) W2K local machine policy set to 6 chars 4) sync the domain && gpupdate && secedit /refreshpolicy 5) on W2K setting 5 char password works (local policy set to 6) 6) on W2K3 5 char password works (local policy set to 5) 7) trying 4 chars fails on both DCs Test 3 (the other way around): 1) Default domain Policy is configured not to define password complexity 2) W2K3 local machine policy is set to 6 chars 3) W2K local machine policy set to 5 chars 4) sync the domain && gpupdate && secedit /refreshpolicy 5) on W2K3 setting 5 char password fails (local policy set to 6) 6) on W2K 5 char password fails ! (local policy set to 5) 7) trying 4 chars fails on both DCs Now I've been lurking this mail list for quite a while and been listening to Joe :), so I fire up Network Monitor on W2K3 (local=6) while trying to set 5 char password on W2K (local=5) and I see nothing, accept some LDAP chatter about cn=configuration,dc=domain,dc=com... and yet the password reset to 5 chars fails. What is going on here ??? What am I missing ? Test 4 (back to reality): 1) set default domain policy to 6 chars + sync the DCs + check that GPO setting have replicated) 2) gpupdate && secedit /refreshpolicy 3) local policies are overridden as expected and 6 char passwords are enforced Guy On Tue, 2004-03-16 at 07:08, Darren Mar-Elia wrote: > Yea, that's the right way to do it Joe. > > Guy, I'm kinda surprised you actually saw that behavior. I was under the > impression that password complexity was one of those account policies > that was completely ignored by DCs unless its linked to a domain policy. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Monday, March 15, 2004 5:03 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Group Policy > > I would think you could do this by simply linking another policy for the > member machines at a lower OU level that still encompasses all of those > machines. I know I did this for lockout policy once. > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Monday, March 15, 2004 3:22 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Group Policy > > > Actually I did it once. This way you can enforce different password > complexity requirements for domain accounts vs. machine local accounts > by applying stricter password complexity to GPO that is linked to Domain > Controllers OU. > > This is rather simple: in Default Domain Controller Security policy you > block inheritance and define different password length/complexity then > in default domain policy. Standalone computers will receive the security > settings from default domain policy and DC from it's own. > Of course you must watch out for other settings defined in the default > domain GPO. > > Never found any use for this, but it was one of those nice-to-know > things. > > Guy > > -- > Smith & Wesson - the original point and click interface > > On Mon, 2004-03-15 at 07:56, joe wrote: > > Yes they do. The default domain policy is where your domain security > > policy is located at. > > > > What implications are there for blocking it... I am not sure, never > tried... > > Let us know. :o) > > > > > > ------------- > > http://www.joeware.net (download joeware) > > http://www.cafeshops.com/joewarenet (wear joeware) > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John > > Shukovsky Jr > > Sent: Thursday, February 26, 2004 12:12 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Group Policy > > > > Do W2k domain controllers need to process default domain policy as > > well as default dc policy? > > If so and the DC's OU is set to block default domain policy what > > implications will/can this have? > > > > thanks in advance. > > > > > > > > This E-mail, including any attachments, may be intended solely for the > > > personal and confidential use of the sender and recipient (s) named > above. > > This message may include advisory, consultative and/or deliberative > > material and, as such, would be privileged and confidential and not a > > public document. Any Information in this e-mail identifying a client > > of the department of Human Services is confidential. If you have > > received this e-mail in error, you must not review, transmit, convert > > to hard copy, copy, use or disseminate this e-mail or any attachments > > to it and you must delete this message. You are requested to notify > > the > sender by return e-mail. > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
