Darren, While that also seems intuitive to me, patently something odd happens. It is clearly documented, (well I hope it is, its certainly my understanding) that you can only set password policy on the Domain in a top level GPO not one applied directly to the "domain controllers" OU. Therefore something odd must happen..... Dave.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 September 2006 00:44 To: [email protected] Subject: RE: [ActiveDir] Block Inheritance on DC OU To me it seems intuitive that GP processing would behave the same way for DCs as it would for other computers. And to answer the question, yes I have confirmed this in testing numerous times over the years-most recently the day Ben asked the question. Darren -----Original Message----- From: "Derek Harris" <[EMAIL PROTECTED]> To: [email protected] Sent: 9/14/2006 4:11 PM Subject: RE: [ActiveDir] Block Inheritance on DC OU I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, September 14, 2006 3:54 AM To: [email protected] Subject: RE: [ActiveDir] Block Inheritance on DC OU You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: [email protected] Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: [email protected] Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
