Group Policy

Discussion in 'MCSE' started by =?Utf-8?B?Q29saW4=?=, Jan 30, 2006.

  1. I had a fun time figuring out something to do with Group Policy the other
    day, and one of the reasons for that was tools included with Windows not
    giving the correct output, namely gpresult.exe and RSoP.

    I came across a question that asked how to implement changing password and
    lockout policies for a subset of users in a doman. I thought hmmm group
    policy order of application would let me create an OU and assign a GPO to it,
    overriding the Default Domain Group Policy. When I found out I was wrong, and
    the book said modify the Default Domain Policy I thought EHHH the book is
    wrong, which I usually do :) and set out to try it for myself.

    Turns out, as you probably know, that the book was right, and nowhere could
    I find in the Help & Support documentation that there was an exception for
    password policies when it came to the domain policy. Even the Microsoft tools
    gpresult.exe and RSoP said that my OU GPO had taken preference but this was
    not the case! Eventually I found it on a page called "Account and local
    policies" in Help & Support. It seems there are certain attributes of the
    domain object that are applied domain-wide:

    lockOutObservationWindow
    lockoutDuration
    lockoutThreshold
    maxPwdAge
    minPwdAge
    minPwdLength
    and pwd-Properties

    I found by experimenting that these can sort of be controlled through a
    security permission on the domain object called "Read Domain Password &
    Lockout Policies". Denying this permission on a user had pretty interesting
    results though, it ended up giving me an error saying that the password could
    not be changed due to not longer than 0 days old, 0 previous passwords and
    not longer than 0 length! (my OU group policy settings "0, 0, 0" but the
    actual domain policy was still being "enforced" and not letting me change it).

    For someone who is used to Group Policy this exeption may seem trivial but
    for someone learning it took me a while to get around this, all because it
    was hard to find the information and the server tools gave me incorrect
    answers. Any idea why gpresult.exe and RSoP don't take into account this
    domain security setting and report Group Policy results correctly? I'm
    thinking of if there are any other exceptions I don't know about that I may
    run into troubshooting hell later.
    =?Utf-8?B?Q29saW4=?=, Jan 30, 2006
    #1
    1. Advertising

  2. Yup. Password policy is only controlled by the domain GPO. That's the way it
    is in 2000 and 2003. If you need to give different users different password
    policies, you have to put them in different domains in the forest.

    -------------------------------------------
    U.S. Air Force Retiree
    MCSA: Messaging on Windows 2000
    MCSE on Windows 2000



    "Colin" wrote:

    > I had a fun time figuring out something to do with Group Policy the other
    > day, and one of the reasons for that was tools included with Windows not
    > giving the correct output, namely gpresult.exe and RSoP.
    >
    > I came across a question that asked how to implement changing password and
    > lockout policies for a subset of users in a doman. I thought hmmm group
    > policy order of application would let me create an OU and assign a GPO to it,
    > overriding the Default Domain Group Policy. When I found out I was wrong, and
    > the book said modify the Default Domain Policy I thought EHHH the book is
    > wrong, which I usually do :) and set out to try it for myself.
    >
    > Turns out, as you probably know, that the book was right, and nowhere could
    > I find in the Help & Support documentation that there was an exception for
    > password policies when it came to the domain policy. Even the Microsoft tools
    > gpresult.exe and RSoP said that my OU GPO had taken preference but this was
    > not the case! Eventually I found it on a page called "Account and local
    > policies" in Help & Support. It seems there are certain attributes of the
    > domain object that are applied domain-wide:
    >
    > lockOutObservationWindow
    > lockoutDuration
    > lockoutThreshold
    > maxPwdAge
    > minPwdAge
    > minPwdLength
    > and pwd-Properties
    >
    > I found by experimenting that these can sort of be controlled through a
    > security permission on the domain object called "Read Domain Password &
    > Lockout Policies". Denying this permission on a user had pretty interesting
    > results though, it ended up giving me an error saying that the password could
    > not be changed due to not longer than 0 days old, 0 previous passwords and
    > not longer than 0 length! (my OU group policy settings "0, 0, 0" but the
    > actual domain policy was still being "enforced" and not letting me change it).
    >
    > For someone who is used to Group Policy this exeption may seem trivial but
    > for someone learning it took me a while to get around this, all because it
    > was hard to find the information and the server tools gave me incorrect
    > answers. Any idea why gpresult.exe and RSoP don't take into account this
    > domain security setting and report Group Policy results correctly? I'm
    > thinking of if there are any other exceptions I don't know about that I may
    > run into troubshooting hell later.
    =?Utf-8?B?VEJhY2tzdHJvbQ==?=, Jan 30, 2006
    #2
    1. Advertising

  3. =?Utf-8?B?Q29saW4=?=

    ANIXIS Guest

    ANIXIS, Jan 30, 2006
    #3
  4. So you saying the tools are reporting correctly because the OU group policy I
    applied is actually being applied to the local users on the machine?

    So, for example, on a single machine that has a domain password policy and
    an OU password policy applied to it, the domain users logging onto that box
    will get the domain policy settings and the local users will get the OU
    policy settings? I thought the tools would at least report what you would
    getting for the currently logged on user, which in my case was a domain user.
    Or is this because it is a computer policy?

    Sorry lots 'o questions :)
    =?Utf-8?B?Q29saW4=?=, Jan 30, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Lancaster

    Group Policy and PEAP

    Kevin Lancaster, Jun 23, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    2,477
    Kevin Lancaster
    Jun 23, 2004
  2. Tyler Cobb
    Replies:
    6
    Views:
    18,520
    Tyler Cobb
    Oct 19, 2005
  3. =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=

    Group policy with no group

    =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=, Mar 15, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    486
    Jack \(MVP-Networking\).
    Mar 15, 2007
  4. Tyler Cobb
    Replies:
    1
    Views:
    696
    dawnad
    Oct 9, 2005
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    504
    bod43
    Jul 27, 2009
Loading...

Share This Page