[gptalk] Re: Password policy

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 17 Jul 2008 00:07:53 +1000

Taking Darren's comments further. password policies work exactly the same as
any other policy. you just need to keep in mind what machine is the critical


In the case of domain users, the domain controllers control policy so you go
through all of the normal process of working out what is the effective
policy on the domain controller. Normally there is only one policy applied
at the Domain level and so that will be applied on all domain controllers.
If you wanted to be silly, you could actually create two different policies
with two different requirements for passwords and use filtering to ensure
two domain controllers get different policies. This would mean that
depending on which domain controller does the password change would lead to
different rules.


In the case of local users it is the local workstation that does the
password changes so it depends on which policy is being applied to the
machine. If you have one domain policy that applies to all workstations and
domain controllers, then you get the same policy for domain and local users.
This domain policy will override the local policy. If a different policy
wins on the workstations, you will get different rules. If the domain policy
is blocked from applying to workstations, then local policies will win etc.



Alan Cuthbertson



 Policy Management Software (Now with ADMX and Preference support):-



ADM Template Editor(Now with ADMX support):-



Policy Log Reporter(Free)






From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, 17 July 2008 12:04 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Password policy


What happens is that, since the policy is linked to the domain, all computer
accounts will process it. This means that the domain policy will override
the local policy on those computers just like it would for any other
setting. You can, of course, set Block Inheritance on any OU that you don't
wish to have receive that policy.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Wednesday, July 16, 2008 6:53 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Password policy


I was hoping to get some clarity on this-- by setting a domain policy
accounts on the local machine get affected ? Or the domain passwd policy
overwrites any passwd policy set locally on a machine ?

On Wed, Jul 16, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:


Yes, it will. 




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Dave Palombi
Sent: Wednesday, July 16, 2008 6:00 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Password policy


Hey guys, 

I just implemented a password policy for our domain.  With this affect local
computer accounts as well?  I do know that domain policies super seed local
computer polices.




Other related posts: