Joe, When we did it, the machines seemed "stable" It was just that one DC had one set of values and the other had another set of values. Depending which DC authenticated your password changes etc, you got a different set of rules enforced.
Admittedly we didn't do an exhaustive test over an extended period. Alan C ----- Original Message ----- From: "Grillenmeier, Guido" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 18, 2004 8:46 AM Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Darren - if I understand Joe correctly, he doesn't mean that the policy values are replicated. It's the fact that DCs may have different thresholds for acct. lockout (due to the described setup) that the bad logon count which is passed on from one DC to another would trigger a lockout at a different threshold on the different DCs and you'd never be sure which would apply. However, I doubt we'd have replication back and forth: if a DC with a threshold of 10 passes on the bad logon attempt to the PDCE with a theshold of 5, the PDCE would pontentially set the user-account to locked while the other DC would still be fine with 5 more logon attempts. But if this change of the user-account is then replicated out to the other DC, I'm pretty sure that the DC set to 10 attempts doesn't then unlock the account (and causes further replication). So Joe, you may want to elaborate on that. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, November 17, 2004 6:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Joe- Are you sure data like that is stored in AD? I thought, actually, that security policy like this was still stored in the security hive of the registry (i.e. the SAM) for each machine and thus not replicated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, November 16, 2004 10:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome This would be extremely unstable. Not only is the policy being changed by the GPO replicated through FRS, it is also being changed by the values replicating around for the Domain NC head though AD replication. I.E. The machine that got say a value of 10 for bad hits for lockout would replicate to the machine that had a value of say 5. Then the second would be changed back by policy and try to replicate to the first and back and forth. What I am trying to say is instead of having one policy on one machine and another on another machine, you would have no idea at any given point what the policy was because it would be constantly changing on all DCs as they duked it out. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Rick, That's correct. In fact we once tried having two policies at the domain level with different values for the password length. We then changed filtering so that one Domain controller got one policy and an other Domain controller got a different policy. We then tested how each behaved when processing password changes and each was using the different values. A cute setup, but of no practical use that I can think of. Alan Cuthbertson ----- Original Message ----- From: "Kingslan, Rick T." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 17, 2004 3:17 AM Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome > Only Password Policies created at the domain level are effective for > domain users, but they don't have to be in the default domain policy > object. Can you elaborate on this? I've only had one coffee this morning, and I don't think I follow what you're saying.... Are you saying that a GPO identified by a GUID other than the Default Domain Policy can apply Paasword, Kerb, Lockout, etc? Rick > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of ASB > Sent: Tuesday, November 16, 2004 7:44 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] How to Enable a Warning Message During Windows > Logon Welcome > > > The Default Domain Policy is the *only* affective policy for those > settings. > > That's not an accurate statement... > > Only Password Policies created at the domain level are effective for > domain users, but they don't have to be in the default domain policy > object. > > -ASB > > > On Sun, 7 Nov 2004 12:58:57 -0600, Brian Desmond > <[EMAIL PROTECTED]> wrote: > > The Default Domain Policy is the *only* affective policy for those > settings. > > > > > > > > Thanks. > > > > --Brian Desmond > > [EMAIL PROTECTED] > > Payton on the web! www.wpcp.org > > > > v - 773.534.0034 x135 > > f - 773.534.8101 > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > > > [EMAIL PROTECTED] On Behalf Of ASB > > > Sent: Sunday, November 07, 2004 11:32 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] How to Enable a Warning Message During > Windows > > > Logon Welcome > > > > > > You would seem to be suggesting that multiple policies cannot be > > > applied... > > > > > > -ASB > > > > > > On Fri, 5 Nov 2004 21:19:38 -0600, Brian Desmond > > > <[EMAIL PROTECTED]> wrote: > > > > Oh? How do you go about setting password policies, lockout policies, > > > kerb policies, etc with this practice? > > > > > > > > Thanks. > > > > > > > > --Brian Desmond > > > > [EMAIL PROTECTED] > > > > Payton on the web! www.wpcp.org > > > > > > > > v - 773.534.0034 x135 > > > > f - 773.534.8101 > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] [mailto:ActiveDir- > > > > > [EMAIL PROTECTED] On Behalf Of Jared Manhat > > > > > Sent: Friday, November 05, 2004 3:07 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: [ActiveDir] How to Enable a Warning Message During > > > Windows > > > > > Logon Welcome > > > > > > > > > > You should never modify the Default Domain Policy, instead create > a > > > new > > > > > one. > > > > > > > > > > Jared Manhat > > > > > Systems Administrator > > > > > Accutest Laboratories > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega > > > > > Sent: Friday, November 05, 2004 11:01 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: [ActiveDir] How to Enable a Warning Message During > > > Windows > > > > > Logon Welcome > > > > > > > > > > Try under: > > > > > Default Domain Policy ->Computer Configuration ->Windows Settings > > > > > ->Security > > > > > Settings ->Local Policies ->Security Options ->Message Title for > users > > > > > attempting to logon > > > > > r/ > > > > > Lou > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Christine > > > Allen > > > > > Sent: Friday, November 05, 2004 10:52 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: [ActiveDir] How to Enable a Warning Message During > Windows > > > > > Logon > > > > > Welcome > > > > > > > > > > Hello, > > > > > > > > > > Running windows 2k ad and I was wondering if there is a way via > group > > > > > policy > > > > > to Enable a Warning Message During Windows Logon Welcome. I know > > > there > > > > > is a > > > > > reg hack for it, but I won't want to touch 300 desktops. Thanks. > > > > > > > > > > Christine > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
