What I typically tell folks is that, wherever you set
account policy, make sure that it is well protected (i.e. ACLd so that only few
admins can touch it) and its probably best to do nothing else in that GPO
aside from Account Policy. The less stuff going on there and the less
people mucking with it, the less chance that security-related policy gets
changed inadvertantly by someone "exploring" a GPO.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, December 15, 2004 9:44 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Default Domain Policy
Yes you can but just use the default
domain policy. I don't recall seeing the argument in that debate that would make
me think this wasn't something people would want to do. I.E. I don't see a
benefit in not using it. Either way the policy is being set.
:o)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: Wednesday, December 15, 2004 11:52 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Default Domain Policy
Hello,
Quick
question. If I want to implement a password policy for my domain, do I
have to use the default domain policy? Or can I add my own newly created
policy at the domain level and modify that with my password requirements?
The reason I ask, is because of the don't use the default domain policy debate
that went on about a month ago.
TIA
-Christine
Christine N. Allen
Citrix/Windows 2000
Engineer
BMC Healthnet Plan
One Design Center Place
Boston, MA
02210
Work: 617-748-6034
Cell:
617-290-4407
