[gptalk] Re: Default Domain Policy _ Password Configuration Settings
- From: jfvanmeter@xxxxxxxxxxx
- To: gptalk@xxxxxxxxxxxxx, <gptalk@xxxxxxxxxxxxx>
- Date: Mon, 30 Apr 2007 11:01:50 +0000
Thank You Everyone, here is a little more information.
The WIn2k3 sp1 is a standardized build, that has a local security policy
applied to it via a script that runs at the end of the server build. The
script calls secedit and runs in several inf files, so that the server has some
predefined security settings.
I have two issues I would like help with.
1. When one of the above servers is dcpromo'ed it appears that the new DC
stated to authinicate users, the new DC does not use the group policies from
sysvol, but applies the local security policy. I've since this in our lab,
were a tech either forgets to make connectors or creates them wrong.
2. A workstation tries to authenicate, and getts the error that there are "no
domain controllers available to valid your request" a user can log into the
domain fine from that workstation. If you check the winlogon file, you can
watch group policy being removed and the only security policy left on the
workstation is the local security policy which doesn't hold the correct user
rights to allow some progrmas to run.
Any thoughts on how to correct either of the above?
Thanks
Take Care and Have Fun --John
\
-------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> What it is is a strange mechanism Windows employs to make sure that the DDP
> always reflects account policy that is held on the PDCe's domain NC head.
> So, for example, if you directly modified the Password Length attribute in
> AD on the PDC-there is a process that writes that change into the DDP. Its
> not very well documented but easily tested.
>
>
>
> So, in your example below, if you modified account policy outside of the
> DDP, it would get written back regardless of how restrictive it is.
>
>
>
> Darren
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Alan Johnston
> Sent: Saturday, April 28, 2007 12:11 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Default Domain Policy _ Password Configuration
> Settings
>
>
>
> In this case, would it be true if the modified account policy was less
> restrictive than the DDP, nothing in the DDP will change?
>
>
>
> Just curious.
>
> Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
>
> It is possible John. There are certain scenarios where if you modify account
> policy out-of-band of he DDP (e.g. By modifying the local GPO on the PDCe)
> then those changes can be wriiten back to the DDP. Its a "feature". : :-)
>
> -----Original Message-----
> From: jfvanmeter@xxxxxxxxxxx
> To: "gpotalk"
> Sent: 4/27/2007 7:25 AM
> Subject: [gptalk] Default Domain Policy _ Password Configuration Settings
>
> Hello every, I have a problem that I'm looking for some help with.
>
> Has anyone saw a default domain policy - password settings change from not
> defined to some other settings...ie password length goes from not defined to
> 12?
>
> The domain is running in 2000, most of the server are win2k3 sp1 or win2k
> sp4
>
> thanks for any help
>
> Take Care and Have Fun --john
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
>
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
>
>
>
>
>
> _____
>
> Ahhh...imagining that irresistible "new car" smell?
> Check out new
> <http://us.rd.yahoo.com/evt=48245/*http:/autos.yahoo.com/new_cars.html;_ylc=
> X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhcnM-> cars
> at Yahoo! Autos.
>
--- Begin Message ---
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Sat, 28 Apr 2007 19:37:40 +0000
What it is is a strange mechanism Windows employs to make sure
that the DDP always reflects account policy that is held on the PDCe’s
domain NC head. So, for example, if you directly modified the Password Length
attribute in AD on the PDC—there is a process that writes that change
into the DDP. Its not very well documented but easily tested.
So, in your example below, if you modified account policy outside
of the DDP, it would get written back regardless of how restrictive it is.
Darren
From:
gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf
Of Alan Johnston
Sent: Saturday, April 28, 2007 12:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain Policy _ Password Configuration
Settings
In this case, would it be true if the modified account
policy was less restrictive than the DDP, nothing in the DDP will change?
Just curious.
Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
It is possible John. There are certain scenarios where if
you modify account policy out-of-band of he DDP (e.g. By modifying the local
GPO on the PDCe) then those changes can be wriiten back to the DDP. Its a
"feature". : :-)
-----Original Message-----
From: jfvanmeter@xxxxxxxxxxx
To: "gpotalk"
Sent: 4/27/2007 7:25 AM
Subject: [gptalk] Default Domain Policy _ Password Configuration Settings
Hello every, I have a problem that I'm looking for some help with.
Has anyone saw a default domain policy - password settings change from not
defined to some other settings...ie password length goes from not defined to
12?
The domain is running in 2000, most of the server are win2k3 sp1 or win2k sp4
thanks for any help
Take Care and Have Fun --john
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************
Ahhh...imagining that irresistible "new car"
smell?
Check out new
cars at Yahoo! Autos.
--- End Message ---
Other related posts:
- » [gptalk] Default Domain Policy _ Password Configuration Settings
- » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
- » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
- » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
- » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
- » [gptalk] Re: Default Domain Policy _ Password Configuration Settings
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Sat, 28 Apr 2007 19:37:40 +0000
|
What it is is a strange mechanism Windows employs to make sure
that the DDP always reflects account policy that is held on the PDCe’s
domain NC head. So, for example, if you directly modified the Password Length
attribute in AD on the PDC—there is a process that writes that change
into the DDP. Its not very well documented but easily tested. So, in your example below, if you modified account policy outside
of the DDP, it would get written back regardless of how restrictive it is. Darren From:
gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf
Of Alan Johnston In this case, would it be true if the modified account
policy was less restrictive than the DDP, nothing in the DDP will change? Just curious.
Ahhh...imagining that irresistible "new car"
smell? |
--- End Message ---