mailing list archives
Re: Policy enforcement- Admin accounts
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Tue, 18 Dec 2007 10:54:25 -0800
"mgk.mailing" <mgk.mailing () googlemail com> said (on 2007/12/18):
Guys. Afaik you can set in effect password polices on an ou basis. The
polcies are setup via creation of a GPO and then applied to the OU.
Depending on how inheritance is setup afaik the default settings will
mean that the GPO closest to the active directory object (user /
computer) will take effect.
This is incorrect. User accounts, and hence also passwords, belong to
the domain. As such, only domain policies will affect them, as only
domain-wide policies affect the account repository itself.
You will have certainly noticed that password/account policy restrictions
are available in the group policy editor. If you create a policy and apply
it to an OU, it will apply to accounts repositories that live under that
OU. This will not affect domain users, but it will affect local machine
accounts created on any machines within that OU.