[gptalk] Re: Default Domain Policy _ Password Configuration Settings

• From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Sat, 28 Apr 2007 12:37:32 -0700

What it is is a strange mechanism Windows employs to make sure that the DDP
always reflects account policy that is held on the PDCe's domain NC head.
So, for example, if you directly modified the Password Length attribute in
AD on the PDC-there is a process that writes that change into the DDP. Its
not very well documented but easily tested. 

 

So, in your example below, if you modified account policy outside of the
DDP, it would get written back regardless of how restrictive it is.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Alan Johnston
Sent: Saturday, April 28, 2007 12:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain Policy _ Password Configuration
Settings

 

In this case, would it be true if the modified account policy was less
restrictive than the DDP, nothing in the DDP will change?

 

Just curious.

Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

It is possible John. There are certain scenarios where if you modify account
policy out-of-band of he DDP (e.g. By modifying the local GPO on the PDCe)
then those changes can be wriiten back to the DDP. Its a "feature". : :-)

-----Original Message-----
From: jfvanmeter@xxxxxxxxxxx
To: "gpotalk" 
Sent: 4/27/2007 7:25 AM
Subject: [gptalk] Default Domain Policy _ Password Configuration Settings

Hello every, I have a problem that I'm looking for some help with.

Has anyone saw a default domain policy - password settings change from not
defined to some other settings...ie password length goes from not defined to
12?

The domain is running in 2000, most of the server are win2k3 sp1 or win2k
sp4

thanks for any help

Take Care and Have Fun --john
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

 

  

  _____  

Ahhh...imagining that irresistible "new car" smell?
Check out new
<http://us.rd.yahoo.com/evt=48245/*http:/autos.yahoo.com/new_cars.html;_ylc=
X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhcnM->  cars
at Yahoo! Autos. 

• References:
  • [gptalk] Re: Default Domain Policy _ Password Configuration Settings
    • From: Darren Mar-Elia
  • [gptalk] Re: Default Domain Policy _ Password Configuration Settings
    • From: Alan Johnston

Other related posts:

• » [gptalk] Default Domain Policy _ Password Configuration Settings
• » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
• » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
• » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
• » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
• » [gptalk] Re: Default Domain Policy _ Password Configuration Settings

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription