Thanks Darren/Douglas Its amazing such a simple concept can raise so many questions. This question was really just pertaining to strictly to admin, service type accounts. Through some further research, the ONLY way to really achive what I want is to protect service accounts from being affecting by the password policy is have them reside in another domain inside the forest. Dealing with 80k users, a password policy and service accounts can cause headaches when trying to fully implement. Ole well security is a journey, not a destination. Thanks for the help.
Steve ----- Original Message ----- From: "Darren Mar-Elia" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 29, 2004 10:01 PM Subject: RE: [ActiveDir] Password Policy question Also, keep in mind that password policy is a machine policy, so in any case, its not being applied to user accounts--but rather machines. In the case of domain password policy, the machine(s) actually processing the password policy settings are your DCs, which of course house your domain accounts. And, it is an all or nothing thing, so even if you wanted to filter the GPO by user account, you really couldn't. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, September 29, 2004 6:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy question The password policy is a domain wide thing. You cant restrict it to certain OUs. Whatever you set it as is what it will be. Would be helpful to apply it to certain OUs, but password policies are there to protect the entire environment, so objecst that would not be using the same policy would be opening you up (that is why it is a domain wide thing) ________________________________ From: [EMAIL PROTECTED] on behalf of Steve Schofield Sent: Wed 9/29/2004 8:13 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy question We've implemented a domain wide password policy using the default domain policy, this applies to authenticated users. One question Im not sure about is I have an OU that all Admin id's and service accounts reside in, We've applied block inheritance on this OU but the Default Domain Policy is still being applied and password restrictions are being enforced. This might be my mis-understanding but shouldn't block inheritance stop this from applying to the user 'ids in this OU? Steve List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
