GPO questions

Hi,
I am going through a Transcender for 70-217, and it states "When a password
policy is set at the domain level and the Block Policy Inheritance option is
enabled at the OU level, the password policy overrides the enabled block
policy inheritance option." I though you would have to set the no override
option at the higher lever GPO for this action to take place. Any other
got-ya's ?
Thanks - Wayne

=?Utf-8?B?V2F5bmU=?=

That is not a trick question. Password policy is set at the domain
level...period, it can't be blocked or over ridden at any other subsequent
level. Password policy is one of a few that are "immutable". If you want a
password policy that differs from that established with in a domain, your
only recourse is to establish another domain in the forest.

"Wayne" <> wrote in message
news:290AAF2D-26B8-47E0-AF67-...
> Hi,
> I am going through a Transcender for 70-217, and it states "When a
> password
> policy is set at the domain level and the Block Policy Inheritance option
> is
> enabled at the OU level, the password policy overrides the enabled block
> policy inheritance option." I though you would have to set the no
> override
> option at the higher lever GPO for this action to take place. Any other
> got-ya's ?
> Thanks - Wayne

zenner

Are there any other "immutable" items I should know about?
Thanks - Wayne

"zenner" wrote:

> That is not a trick question. Password policy is set at the domain
> level...period, it can't be blocked or over ridden at any other subsequent
> level. Password policy is one of a few that are "immutable". If you want a
> password policy that differs from that established with in a domain, your
> only recourse is to establish another domain in the forest.
>
> "Wayne" <> wrote in message
> news:290AAF2D-26B8-47E0-AF67-...
> > Hi,
> > I am going through a Transcender for 70-217, and it states "When a
> > password
> > policy is set at the domain level and the Block Policy Inheritance option
> > is
> > enabled at the OU level, the password policy overrides the enabled block
> > policy inheritance option." I though you would have to set the no
> > override
> > option at the higher lever GPO for this action to take place. Any other
> > got-ya's ?
> > Thanks - Wayne
>
>
>

=?Utf-8?B?V2F5bmU=?=

Most global/security related parameters...IPSec, passwords, file system
(FRS) cannot be modified.

One of the really good things about Transcenders study guides is the
bibliography, I have found they have references for all, or at least most,
questions ...usually citing readily available manuals, whitepapers or tech
(net) articles. A lot of the articles even have Hyperlinks. Also in the
configuration/ readme files there is a lot of info that most people overlook
in their haste to start on the exams.

Have you studied for or taken the exam for 70-216 (network infrastructure
administration)? Or 70-291?

"Wayne" <> wrote in message
news:9FC8F7C8-126B-435C-BAD5-...
> Are there any other "immutable" items I should know about?
> Thanks - Wayne
>
> "zenner" wrote:
>
>> That is not a trick question. Password policy is set at the domain
>> level...period, it can't be blocked or over ridden at any other
>> subsequent
>> level. Password policy is one of a few that are "immutable". If you want
>> a
>> password policy that differs from that established with in a domain, your
>> only recourse is to establish another domain in the forest.
>>
>> "Wayne" <> wrote in message
>> news:290AAF2D-26B8-47E0-AF67-...
>> > Hi,
>> > I am going through a Transcender for 70-217, and it states "When a
>> > password
>> > policy is set at the domain level and the Block Policy Inheritance
>> > option
>> > is
>> > enabled at the OU level, the password policy overrides the enabled
>> > block
>> > policy inheritance option." I though you would have to set the no
>> > override
>> > option at the higher lever GPO for this action to take place. Any
>> > other
>> > got-ya's ?
>> > Thanks - Wayne
>>
>>
>>

zenner

Hi,
I took 70-216 last month and passed...Next up is 70-217, then 70-219, then
70-292 and 296....I do like the Trancenders. I use a combo of Trancenders,
Sybex, Microsoft press, and labs. So far it has worked.

"zenner" wrote:

> Most global/security related parameters...IPSec, passwords, file system
> (FRS) cannot be modified.
>
> One of the really good things about Transcenders study guides is the
> bibliography, I have found they have references for all, or at least most,
> questions ...usually citing readily available manuals, whitepapers or tech
> (net) articles. A lot of the articles even have Hyperlinks. Also in the
> configuration/ readme files there is a lot of info that most people overlook
> in their haste to start on the exams.
>
> Have you studied for or taken the exam for 70-216 (network infrastructure
> administration)? Or 70-291?
>
> "Wayne" <> wrote in message
> news:9FC8F7C8-126B-435C-BAD5-...
> > Are there any other "immutable" items I should know about?
> > Thanks - Wayne
> >
> > "zenner" wrote:
> >
> >> That is not a trick question. Password policy is set at the domain
> >> level...period, it can't be blocked or over ridden at any other
> >> subsequent
> >> level. Password policy is one of a few that are "immutable". If you want
> >> a
> >> password policy that differs from that established with in a domain, your
> >> only recourse is to establish another domain in the forest.
> >>
> >> "Wayne" <> wrote in message
> >> news:290AAF2D-26B8-47E0-AF67-...
> >> > Hi,
> >> > I am going through a Transcender for 70-217, and it states "When a
> >> > password
> >> > policy is set at the domain level and the Block Policy Inheritance
> >> > option
> >> > is
> >> > enabled at the OU level, the password policy overrides the enabled
> >> > block
> >> > policy inheritance option." I though you would have to set the no
> >> > override
> >> > option at the higher lever GPO for this action to take place. Any
> >> > other
> >> > got-ya's ?
> >> > Thanks - Wayne
> >>
> >>
> >>
>
>
>

=?Utf-8?B?V2F5bmU=?=

The Sybex book stated that using block inheritance at the OU would be like
starting out with a "clean slate". As to the trancender question it only
delt with the password policy at the domain level and the block inhertance
setting at the OU, no other perticular settings.
- Wayne

"Steven L Umbach" wrote:

> Let my clarify myself [not always easy to do].
>
> >In such case block inheritance at the OU would mean that the
> >password/account policy settings defined in Local Security Policy of the
> >domain computers in that OU would apply to the local users on those domain
> >computers - not what is configured at the domain level.
>
> What I meant is that Local Security Policy password/account settings would
> apply to computers in that OU assuming that the OU did not have a Group
> Policy linked to it that also had password/account settings defined. If it
> did then those GPO defined settings would apply to the "local" users on
> computers in that OU structure. Your question did not mention specifics
> about any GPO at the OU where block inheritance was enabled but typically if
> block inheritance is enabled on an OU then there are no like defined
> settings defined via a GPO at the OU level anyhow. --- Steve
>
>
> "Steven L Umbach" <> wrote in message
> news:%...
> > That is not entirely true. You must make the distinction between "domain"
> > users and "local" computer users on domain computers. You can define
> > password/account policy at the OU level but it will apply ONLY to local
> > users on domain computer within the scope of management of that OU. In
> > such case block inheritance at the OU would mean that the password/account
> > policy settings defined in Local Security Policy of the domain computers
> > in that OU would apply to the local users on those domain computers - not
> > what is configured at the domain level.
> >
> > Why does this all matter? Well maybe you would want to have different
> > password/account policy for the local computer accounts in the domain many
> > of which may only contain the built in administrator account and the guest
> > account which would be disabled by default. The local administrator
> > account on a domain computer while not all powerful in the domain
> > certainly is an important account on sensitive domain computers such as
> > the Enterprise Certificate Authority or any other important
> > mputers. --- Steve
> >
> >
> > "Wayne" <> wrote in message
> > news:290AAF2D-26B8-47E0-AF67-...
> >> Hi,
> >> I am going through a Transcender for 70-217, and it states "When a
> >> password
> >> policy is set at the domain level and the Block Policy Inheritance option
> >> is
> >> enabled at the OU level, the password policy overrides the enabled block
> >> policy inheritance option." I though you would have to set the no
> >> override
> >> option at the higher lever GPO for this action to take place. Any other
> >> got-ya's ?
> >> Thanks - Wayne
> >
> >
>
>
>

=?Utf-8?B?V2F5bmU=?=

That is not entirely true. You must make the distinction between "domain"
users and "local" computer users on domain computers. You can define
password/account policy at the OU level but it will apply ONLY to local
users on domain computer within the scope of management of that OU. In such
case block inheritance at the OU would mean that the password/account policy
settings defined in Local Security Policy of the domain computers in that OU
would apply to the local users on those domain computers - not what is
configured at the domain level.

Why does this all matter? Well maybe you would want to have different
password/account policy for the local computer accounts in the domain many
of which may only contain the built in administrator account and the guest
account which would be disabled by default. The local administrator account
on a domain computer while not all powerful in the domain certainly is an
important account on sensitive domain computers such as the Enterprise
Certificate Authority or any other important computers. --- Steve


"Wayne" <> wrote in message
news:290AAF2D-26B8-47E0-AF67-...
> Hi,
> I am going through a Transcender for 70-217, and it states "When a
> password
> policy is set at the domain level and the Block Policy Inheritance option
> is
> enabled at the OU level, the password policy overrides the enabled block
> policy inheritance option." I though you would have to set the no
> override
> option at the higher lever GPO for this action to take place. Any other
> got-ya's ?
> Thanks - Wayne

Steven L Umbach

Let my clarify myself [not always easy to do].

>In such case block inheritance at the OU would mean that the
>password/account policy settings defined in Local Security Policy of the
>domain computers in that OU would apply to the local users on those domain
>computers - not what is configured at the domain level.

What I meant is that Local Security Policy password/account settings would
apply to computers in that OU assuming that the OU did not have a Group
Policy linked to it that also had password/account settings defined. If it
did then those GPO defined settings would apply to the "local" users on
computers in that OU structure. Your question did not mention specifics
about any GPO at the OU where block inheritance was enabled but typically if
block inheritance is enabled on an OU then there are no like defined
settings defined via a GPO at the OU level anyhow. --- Steve


"Steven L Umbach" <> wrote in message
news:%...
> That is not entirely true. You must make the distinction between "domain"
> users and "local" computer users on domain computers. You can define
> password/account policy at the OU level but it will apply ONLY to local
> users on domain computer within the scope of management of that OU. In
> such case block inheritance at the OU would mean that the password/account
> policy settings defined in Local Security Policy of the domain computers
> in that OU would apply to the local users on those domain computers - not
> what is configured at the domain level.
>
> Why does this all matter? Well maybe you would want to have different
> password/account policy for the local computer accounts in the domain many
> of which may only contain the built in administrator account and the guest
> account which would be disabled by default. The local administrator
> account on a domain computer while not all powerful in the domain
> certainly is an important account on sensitive domain computers such as
> the Enterprise Certificate Authority or any other important
> mputers. --- Steve
>
>
> "Wayne" <> wrote in message
> news:290AAF2D-26B8-47E0-AF67-...
>> Hi,
>> I am going through a Transcender for 70-217, and it states "When a
>> password
>> policy is set at the domain level and the Block Policy Inheritance option
>> is
>> enabled at the OU level, the password policy overrides the enabled block
>> policy inheritance option." I though you would have to set the no
>> override
>> option at the higher lever GPO for this action to take place. Any other
>> got-ya's ?
>> Thanks - Wayne
>
>

Steven L Umbach

Other than password/account policy for domain users block inheritance at the
OU level will prevent Group Policy defined settings from levels in the
domain above the OU from applying to computer/users in the OU structure with
the exception in that if the Group Policy at the "upper" levels is
configured with "no override" then no override wins even if block
inheritance is enabled. --- Steve


"Wayne" <> wrote in message
news:4844A45A-3F17-4647-A4FD-...
> The Sybex book stated that using block inheritance at the OU would be like
> starting out with a "clean slate". As to the trancender question it only
> delt with the password policy at the domain level and the block inhertance
> setting at the OU, no other perticular settings.
> - Wayne
>
> "Steven L Umbach" wrote:
>
>> Let my clarify myself [not always easy to do].
>>
>> >In such case block inheritance at the OU would mean that the
>> >password/account policy settings defined in Local Security Policy of the
>> >domain computers in that OU would apply to the local users on those
>> >domain
>> >computers - not what is configured at the domain level.
>>
>> What I meant is that Local Security Policy password/account settings
>> would
>> apply to computers in that OU assuming that the OU did not have a Group
>> Policy linked to it that also had password/account settings defined. If
>> it
>> did then those GPO defined settings would apply to the "local" users on
>> computers in that OU structure. Your question did not mention specifics
>> about any GPO at the OU where block inheritance was enabled but typically
>> if
>> block inheritance is enabled on an OU then there are no like defined
>> settings defined via a GPO at the OU level anyhow. --- Steve
>>
>>
>> "Steven L Umbach" <> wrote in message
>> news:%...
>> > That is not entirely true. You must make the distinction between
>> > "domain"
>> > users and "local" computer users on domain computers. You can define
>> > password/account policy at the OU level but it will apply ONLY to local
>> > users on domain computer within the scope of management of that OU. In
>> > such case block inheritance at the OU would mean that the
>> > password/account
>> > policy settings defined in Local Security Policy of the domain
>> > computers
>> > in that OU would apply to the local users on those domain computers -
>> > not
>> > what is configured at the domain level.
>> >
>> > Why does this all matter? Well maybe you would want to have different
>> > password/account policy for the local computer accounts in the domain
>> > many
>> > of which may only contain the built in administrator account and the
>> > guest
>> > account which would be disabled by default. The local administrator
>> > account on a domain computer while not all powerful in the domain
>> > certainly is an important account on sensitive domain computers such as
>> > the Enterprise Certificate Authority or any other important
>> > mputers. --- Steve
>> >
>> >
>> > "Wayne" <> wrote in message
>> > news:290AAF2D-26B8-47E0-AF67-...
>> >> Hi,
>> >> I am going through a Transcender for 70-217, and it states "When a
>> >> password
>> >> policy is set at the domain level and the Block Policy Inheritance
>> >> option
>> >> is
>> >> enabled at the OU level, the password policy overrides the enabled
>> >> block
>> >> policy inheritance option." I though you would have to set the no
>> >> override
>> >> option at the higher lever GPO for this action to take place. Any
>> >> other
>> >> got-ya's ?
>> >> Thanks - Wayne
>> >
>> >
>>
>>
>>

Steven L Umbach