|
Posted by Roger Abell [MVP] on November 18, 2006, 12:32 am
Please log in for more thread options
Not defined does not mean no policy, it just means that
there is no definition of the specific policy in that GPO.
Notice that many policies are tri-state, such as not defined,
enabled, disabled. A setting of not defined is a no-op and
has no effect.
Now, usually Account policies only have affect on domain
accounts when these are set in a GPO linked to the domain.
I have at times noticed it seems some are effective for domain
accounts when set in a GPO linked to the DC OU. Given the
possible GPOs that you have listed, either this "odd" behavior
(that is not supposed to happen) is operative here, or, more
likely, the shipped default or last set value at the domain level
is being used (i.e. the 24 in the DC OU linked GPO only appears
to be winning, but in fact, no GPO linked to the domain sets the
policy so the last set value is being effective).
> In the following situation which policy will win?
>
> Enforce password history
>
> Default Domain Policy Not defined
> Default Domain Controller Policy Not defined
> Local Domain Controller Policy 24 days
>
> My problem is when a users profile is set to change at next logon (because
> I
> don't want to know there password) if they select a password that was used
> in
> the last 24 days it won't accept it. I would have thought that the
> default
> domain policy or default domain controller policy would have taken
> precedence.
>
> Any answers would be greatly appreciated.
>
> Kim
>
>
|