Home page logo
/

basics logo Security Basics mailing list archives

RE: Group Policy Inheritance
From: "Ramsdell, Scott" <sramsdell () stinsonmoheck com>
Date: Mon, 27 Feb 2006 11:37:23 -0600

Peter,

Domain password policy is domain wide and cannot be blocked.  As stated
by others, the inheritance works as you would expect except for the
default domain policy's password settings (at least).  I don't know
about other settings within the default policy, as I've always only
implemented the password and account policies in this policy.  Any other
policy I want to implement is implemented in other GPOs.

Per Microsoft: "There can be only a single password policy for each
account database. An Active Directory domain is considered a single
account database, as is the local account database on stand-alone
computers."

From here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/directory/activedirectory/stepbystep/strngpw.mspx

If you want to set a different password policy for a group of users,
administrators for instance, you will unfortunately have to have another
domain.

You would set the policy in the second domain how you want, then form a
trust, and drop the security group from the second domain into the
administrators built in security group in the first domain.  Note, the
administrators built in security group is different from the domain
admins group.

Regards,
Scott



-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com] 
Sent: Saturday, February 25, 2006 1:15 AM
To: security-basics () securityfocus com
Subject: RE: Group Policy Inheritance

You are right. Domain Policy still applies. 

-----Original Message-----
From: Peter Rodger [mailto:prodger2008 () yahoo com] 
Sent: Saturday, February 25, 2006 12:43 AM
To: security-basics () securityfocus com
Subject: Group Policy Inheritance

Hi all,

If we set block policy inheritance on the child OU, will the domain
policy
be blocked too (esp. domain password policy)?  My understanding is that
it
only blocks the parent OU policy, not domain policy.  Can anyone
confirm?

Thanks,

Peter

__________________________________________________

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity
Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
 
 
This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent 
to you in error, please contact the sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault