Darren,
Can you please confirm your testing. As I understand it, account policy is
processed very differently -the PDCe applies it to the domain NC head via a
process called SCE (can't remember what that stands for).
I also tried to confirm this, and am getting slightly different results to
what you say. Basically, I just blocked inheritance on OU=Domain
Controllers... and forced policy application (gpupdate /force) on the PDCe
and another DC in the same site. I then run RSoP and no password policy is
defined on the DCs. However, the password policy is still in effect
(because it hasn't been removed from the domainDNS object). I also have a
GPO linked to the DCs OU which defines a pwd length of 6. That doesn't show
up in RSoP data nor is it applied - I have to create an 8 character length
password. This is very limited, and I obviously haven't exhausted the
testing, but this is what I expected based on my understanding of the PDCe
writing those values on the NC head after reading them, out of band if you
like, from domain-linked GPOs.
Note. I've no idea if this SCE thread on the PDCe runs independently of
normal policy application or not. I was hoping you would know. But based
on your response, I'm starting to question my understanding...as you are GPO
;-)
--Paul
----- Original Message -----
From: "Darren Mar-Elia" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, September 15, 2006 12:43 AM
Subject: RE: [ActiveDir] Block Inheritance on DC OU
To me it seems intuitive that GP processing would behave the same way for
DCs as it would for other computers. And to answer the question, yes I
have confirmed this in testing numerous times over the years-most recently
the day Ben asked the question.
Darren
-----Original Message-----
From: "Derek Harris" <[EMAIL PROTECTED]>
To: [email protected]
Sent: 9/14/2006 4:11 PM
Subject: RE: [ActiveDir] Block Inheritance on DC OU
I did it a couple years ago, and found out that it does block the
password policy. It seems intuitive that it shouldn't, but it does.
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, September 14, 2006 3:54 AM
To: [email protected]
Subject: RE: [ActiveDir] Block Inheritance on DC OU
You say "Obvious" but is this obvious? What happens in the case of
password policy. This can only be set at the top level of the domain.
Does this block actually prevent it being applied? I would guess that is
does, but I wonder if any one has tested it or has any docs on what
actually happens.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 13, 2006 6:59 PM
To: [email protected]
Subject: RE: [ActiveDir] Block Inheritance on DC OU
Well, the obvious effect is that it prevents domain-linked policies from
being delivered correctly, including password policy. This is probably
not desirable. I can't think of a good scenario where this would be
useful.
Darren
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: [email protected]
Subject: [ActiveDir] Block Inheritance on DC OU
The company I am currently working for has "block inheritance" enabled
for the Domain Controller's OU and apparently whoever enabled this
setting is no longer with the company (or they won't fess up to why they
did this).
Although I am curious, what sort of ramifications does enabling "block
inheritance" on the Domain Controller's OU pose? And what reason would
[truncated by sender]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
