[gptalk] Re: Default Domain Policy _ Password Configuration Settings

  • From: jfvanmeter@xxxxxxxxxxx
  • To: gptalk@xxxxxxxxxxxxx, <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 30 Apr 2007 11:54:55 +0000

Thanks Darren, 

I have a custom domain policy that holds account policy.... "myclient domain 
policy" and the DDP is set to not defined.  And the Myclient domain policy has 
a higher priority then the DDP. 

And I'm wondering if the following is happening.

A newly created DC believes that it is  authoritative for domain, but not being 
fully replicated
After it became authoritative for the domain, and policy wasn't full rep'ed it 
use local security settings defined on the server. And since it thinks its 
authoritative for the domain, as the domain NCs head, would it write the local 
security settings back to the Default Domain Policy

Thanks Everyone

Take Care and Have Fun --John


 -------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> What it is is a strange mechanism Windows employs to make sure that the DDP> 
> So, for example, if you directly modified the Password Length attribute in
> always reflects account policy that is held on the PDCe's domain NC head.
 
> AD on the PDC-there is a process that writes that change into the DDP. Its
> not very well documented but easily tested. 
> 
>  
> 
> So, in your example below, if you modified account policy outside of the
> DDP, it would get written back regardless of how restrictive it is.
> 
>  
> 
> Darren
> 
>  
> 
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Alan Johnston
> Sent: Saturday, April 28, 2007 12:11 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Default Domain Policy _ Password Configuration
> Settings
> 
>  
> 
> In this case, would it be true if the modified account policy was less
> restrictive than the DDP, nothing in the DDP will change?
> 
>  
> 
> Just curious.
> 
> Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
> 
> It is possible John. There are certain scenarios where if you modify account
> policy out-of-band of he DDP (e.g. By modifying the local GPO on the PDCe)
> then those changes can be wriiten back to the DDP. Its a "feature". : :-)
> 
> -----Original Message-----
> From: jfvanmeter@xxxxxxxxxxx
> To: "gpotalk" 
> Sent: 4/27/2007 7:25 AM
> Subject: [gptalk] Default Domain Policy _ Password Configuration Settings
> 
> Hello every, I have a problem that I'm looking for some help with.
> 
> Has anyone saw a default domain policy - password settings change from not
> defined to some other settings...ie password length goes from not defined to
> 12?
> 
> The domain is running in 2000, most of the server are win2k3 sp1 or win2k
> sp4
> 
> thanks for any help
> 
> Take Care and Have Fun --john
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
> 
>  
> 
>   
> 
>   _____  
> 
> Ahhh...imagining that irresistible "new car" smell?
> Check out new
> <http://us.rd.yahoo.com/evt=48245/*http:/autos.yahoo.com/new_cars.html;_ylc=
> X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhcnM->  cars
> at Yahoo! Autos. 
> 


--- Begin Message ---
  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sat, 28 Apr 2007 19:37:40 +0000

What it is is a strange mechanism Windows employs to make sure that the DDP always reflects account policy that is held on the PDCe’s domain NC head. So, for example, if you directly modified the Password Length attribute in AD on the PDC—there is a process that writes that change into the DDP. Its not very well documented but easily tested.

 

So, in your example below, if you modified account policy outside of the DDP, it would get written back regardless of how restrictive it is.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan Johnston
Sent: Saturday, April 28, 2007 12:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Default Domain Policy _ Password Configuration Settings

 

In this case, would it be true if the modified account policy was less restrictive than the DDP, nothing in the DDP will change?

 

Just curious.

Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

It is possible John. There are certain scenarios where if you modify account policy out-of-band of he DDP (e.g. By modifying the local GPO on the PDCe) then those changes can be wriiten back to the DDP. Its a "feature". : :-)

-----Original Message-----
From: jfvanmeter@xxxxxxxxxxx
To: "gpotalk"
Sent: 4/27/2007 7:25 AM
Subject: [gptalk] Default Domain Policy _ Password Configuration Settings

Hello every, I have a problem that I'm looking for some help with.

Has anyone saw a default domain policy - password settings change from not defined to some other settings...ie password length goes from not defined to 12?

The domain is running in 2000, most of the server are win2k3 sp1 or win2k sp4

thanks for any help

Take Care and Have Fun --john
***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************

 

 


Ahhh...imagining that irresistible "new car" smell?
Check out new cars at Yahoo! Autos.


--- End Message ---

Other related posts: