RE: [ActiveDir] Few quick ones on password polices

[joe]

Title: Few quick ones on password polices

Actually you still agree with me, you just state it differently. :o)   In that case, the domain policy for the user accounts isn't being applied at all.   I believe the idea of the OP sprang form the idea to block a certain OU from having the policy impact the users in that OU. This isn't possible because the policies are actually initiating changes on the default NC of the domain controllers which are applied to all users within the domain. I.E. When you set the lockout policy for instance you impact a couple of attributes on the default NC, specifically   F:\DEV\cpp\dosd>adfind -schema -f ldapdisplayname=*lockout* -nodn -nolabel ldapdisplayname   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com   lockOutObservationWindow lockoutDuration lockoutThreshold lockoutTime   4 Objects returned     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, February 16, 2005 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices I used to agree with Joe on topic 2 until I actually ran into a problem in my forest. I needed to make a change to the password complexity setting on one domain and the change wasn’t happening. The problem was that the “block inheritance” setting was checked on the domain controllers OU. Once the checkbox was cleared, the new account policy took affect. This was a Windows 2000 domain.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 10:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Few quick ones on password polices   1. Correct   2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines.   I don't think you need to set "user can not change password", if the person doesn't want their password changed, setting that only prevents them from doing it.     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Wednesday, February 16, 2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1)      you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2)      account policies cannot be blocked by using the "block inheritance" option? Not too sure on this one, so could do with it clearing up. As a fail safe I'm going to make sure I've got "password never expires" and "user can not change password" options selected for those people who I don't want their password changing just yet. Any answers greatly received and advice always welcome. Cheers, folks.   For Troup Bywaters + Anders     Tim Sutton              T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024                 E: [EMAIL PROTECTED]          W: www.TBandA.com                               Eastgate House 10 Eastgate                                     Leeds LS2 7JL Office Location Map     Groupshield 6.0 - Troup Bywaters & Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.