|
The only way that I'm aware of where you
can have different lengths (without your own filters, etc.) is if you deny the
domain controllers from reading the necessary attributes on the NC head.
By doing this, and then having multiple policies, I believe you can achieve what
you are talking about. I've not tested this - I'm basing this on a
conversation I had with someone who has tested this (Mr. Wells) -although we had
had a lot to drink at the time, and I might have got things muddled up (very
possible).
Under those circumstances, I assume the
values defined in the GPO work. It seems to be that the DCs favour the
values on the NC head. The values on the NC head are written by the PDCe
-that reads the domain polcies and applies the values to the
domain.
I haven't got round to getting my source
access sorted yet, so can't verify. Hopefully someone with access to the
code can chip in here.
I'm not disputing what you're saying re.
blocking. That will probably stop the PDCe applying this. However, I
don't think the other DCs process this in the same way. Unless there's a
fall back, and you're achieving that via specific filtering, e.g. DC computer
objects or custom groups, i.e. some DCs getting one, and others getting
another...
Interesting. I'll have to try and
repro (which is going to take some time with the current work
load).
--Paul
|
- Re: [ActiveDir] Strange password issue Paul Williams
- RE: [ActiveDir] Strange password issue joe
- RE: [ActiveDir] Strange password issue Akomolafe, Deji
- [ActiveDir] List archive David Adner
- RE: [ActiveDir] List archive Akomolafe, Deji
- RE: [ActiveDir] List archive dinesh shinde
- RE: [ActiveDir] List archive joe
- Re: [ActiveDir] Strange password issue Paul Williams
- RE: [ActiveDir] Strange password issue Akomolafe, Deji
- RE: [ActiveDir] Strange password issue joe
