Group Policy

TheMSsForum.com: The Microsoft Software Forum

I had a fun time figuring out something to do with Group Policy the other
day, and one of the reasons for that was tools included with Windows not
giving the correct output, namely gpresult.exe and RSoP.

I came across a question that asked how to implement changing password and
lockout policies for a subset of users in a doman. I thought hmmm group
policy order of application would let me create an OU and assign a GPO to it,
overriding the Default Domain Group Policy. When I found out I was wrong, and
the book said modify the Default Domain Policy I thought EHHH the book is
wrong, which I usually do :) and set out to try it for myself.

Turns out, as you probably know, that the book was right, and nowhere could
I find in the Help & Support documentation that there was an exception for
password policies when it came to the domain policy. Even the Microsoft tools
gpresult.exe and RSoP said that my OU GPO had taken preference but this was
not the case! Eventually I found it on a page called "Account and local
policies" in Help & Support. It seems there are certain attributes of the
domain object that are applied domain-wide:

lockOutObservationWindow
lockoutDuration
lockoutThreshold
maxPwdAge
minPwdAge
minPwdLength
and pwd-Properties

I found by experimenting that these can sort of be controlled through a
security permission on the domain object called "Read Domain Password &
Lockout Policies". Denying this permission on a user had pretty interesting
results though, it ended up giving me an error saying that the password could
not be changed due to not longer than 0 days old, 0 previous passwords and
not longer than 0 length! (my OU group policy settings "0, 0, 0" but the
actual domain policy was still being "enforced" and not letting me change it).

For someone who is used to Group Policy this exeption may seem trivial but
for someone learning it took me a while to get around this, all because it
was hard to find the information and the server tools gave me incorrect
answers. Any idea why gpresult.exe and RSoP don't take into account this
domain security setting and report Group Policy results correctly? I'm
thinking of if there are any other exceptions I don't know about that I may
run into troubshooting hell later.
Top

RE: Group Policy by TBackstrom

TBackstrom
Mon Jan 30 10:05:30 CST 2006

Yup. Password policy is only controlled by the domain GPO. That's the way it
is in 2000 and 2003. If you need to give different users different password
policies, you have to put them in different domains in the forest.

-------------------------------------------
U.S. Air Force Retiree
MCSA: Messaging on Windows 2000
MCSE on Windows 2000



"Colin" wrote:

> I had a fun time figuring out something to do with Group Policy the other
> day, and one of the reasons for that was tools included with Windows not
> giving the correct output, namely gpresult.exe and RSoP.
>
> I came across a question that asked how to implement changing password and
> lockout policies for a subset of users in a doman. I thought hmmm group
> policy order of application would let me create an OU and assign a GPO to it,
> overriding the Default Domain Group Policy. When I found out I was wrong, and
> the book said modify the Default Domain Policy I thought EHHH the book is
> wrong, which I usually do :) and set out to try it for myself.
>
> Turns out, as you probably know, that the book was right, and nowhere could
> I find in the Help & Support documentation that there was an exception for
> password policies when it came to the domain policy. Even the Microsoft tools
> gpresult.exe and RSoP said that my OU GPO had taken preference but this was
> not the case! Eventually I found it on a page called "Account and local
> policies" in Help & Support. It seems there are certain attributes of the
> domain object that are applied domain-wide:
>
> lockOutObservationWindow
> lockoutDuration
> lockoutThreshold
> maxPwdAge
> minPwdAge
> minPwdLength
> and pwd-Properties
>
> I found by experimenting that these can sort of be controlled through a
> security permission on the domain object called "Read Domain Password &
> Lockout Policies". Denying this permission on a user had pretty interesting
> results though, it ended up giving me an error saying that the password could
> not be changed due to not longer than 0 days old, 0 previous passwords and
> not longer than 0 length! (my OU group policy settings "0, 0, 0" but the
> actual domain policy was still being "enforced" and not letting me change it).
>
> For someone who is used to Group Policy this exeption may seem trivial but
> for someone learning it took me a while to get around this, all because it
> was hard to find the information and the server tools gave me incorrect
> answers. Any idea why gpresult.exe and RSoP don't take into account this
> domain security setting and report Group Policy results correctly? I'm
> thinking of if there are any other exceptions I don't know about that I may
> run into troubshooting hell later.
Top

Re: Group Policy by ANIXIS

ANIXIS
Mon Jan 30 11:21:44 CST 2006

The results are displayed correctly, you just need to interpret them
correctly :) See link below.

http://groups.google.com.au/group/microsoft.public.windows.server.active_directory/msg/74b9a17cb34f8dd7?hl=en&

Top

Re: Group Policy by Colin

Colin
Mon Jan 30 16:55:26 CST 2006

So you saying the tools are reporting correctly because the OU group policy I
applied is actually being applied to the local users on the machine?

So, for example, on a single machine that has a domain password policy and
an OU password policy applied to it, the domain users logging onto that box
will get the domain policy settings and the local users will get the OU
policy settings? I thought the tools would at least report what you would
getting for the currently logged on user, which in my case was a domain user.
Or is this because it is a computer policy?

Sorry lots 'o questions :)
Top