Taking Darren's comments further. password policies work exactly the same as any other policy. you just need to keep in mind what machine is the critical machine. In the case of domain users, the domain controllers control policy so you go through all of the normal process of working out what is the effective policy on the domain controller. Normally there is only one policy applied at the Domain level and so that will be applied on all domain controllers. If you wanted to be silly, you could actually create two different policies with two different requirements for passwords and use filtering to ensure two domain controllers get different policies. This would mean that depending on which domain controller does the password change would lead to different rules. In the case of local users it is the local workstation that does the password changes so it depends on which policy is being applied to the machine. If you have one domain policy that applies to all workstations and domain controllers, then you get the same policy for domain and local users. This domain policy will override the local policy. If a different policy wins on the workstations, you will get different rules. If the domain policy is blocked from applying to workstations, then local policies will win etc. Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, 17 July 2008 12:04 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Password policy What happens is that, since the policy is linked to the domain, all computer accounts will process it. This means that the domain policy will override the local policy on those computers just like it would for any other setting. You can, of course, set Block Inheritance on any OU that you don't wish to have receive that policy. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Wednesday, July 16, 2008 6:53 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Password policy I was hoping to get some clarity on this-- by setting a domain policy accounts on the local machine get affected ? Or the domain passwd policy overwrites any passwd policy set locally on a machine ? On Wed, Jul 16, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: Dave- Yes, it will. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Dave Palombi Sent: Wednesday, July 16, 2008 6:00 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Password policy Hey guys, I just implemented a password policy for our domain. With this affect local computer accounts as well? I do know that domain policies super seed local computer polices. Thanks, Dave