Click here to get back home

secpol on DC vs. Default Domain Policy?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
secpol on DC vs. Default Domain Policy? Brian MXP 11-30-2006
Posted by Brian MXP on November 30, 2006, 6:12 pm
Please log in for more thread options
 Hello-

I'm trying to stop the practice of having Domain user account passwords
expire in a domain (not my idea).

I thought by creating a new GPO & linking it to the root of the domain -
that would work. Doesn't seem so (gpresult shows the GPO applying to
the Computer Settings, but on the user Settings, I get Filtering: Not
Applied (Empty)) I'm assuming this because the settings are in the
Computer Config section & not User...

A lot of posts mention linking the 'Default Domain Policy' GPO to the
domain to do this, but the Max Password Age is in the Computer Setting
section, so I thought I'd get similar results if I linked it...

So when I run gpedit.msc on a DC, I see what appears to be the culprit:
the Security Settings-Account Settings-Password Policy-Max Password Age;
however, it only appears to be able to accept a numeric value, not a
enable/disable option... Is this where I should make the change or do I
need to go back to the 'Default Domain Policy' in order to accomplish
what I need to?

TIA,
Brian

Posted by acchong on November 30, 2006, 7:00 pm
Please log in for more thread options
 If you don't want password for domain user account to expire, set
"Maximum Password Age" to 0 at Default Domain Policy.

You can refer to following link for explanation on each of the password
policy:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx#EMD

Brian MXP wrote:
> Hello-
>
> I'm trying to stop the practice of having Domain user account passwords
> expire in a domain (not my idea).
>
> I thought by creating a new GPO & linking it to the root of the domain -
> that would work. Doesn't seem so (gpresult shows the GPO applying to
> the Computer Settings, but on the user Settings, I get Filtering: Not
> Applied (Empty)) I'm assuming this because the settings are in the
> Computer Config section & not User...
>
> A lot of posts mention linking the 'Default Domain Policy' GPO to the
> domain to do this, but the Max Password Age is in the Computer Setting
> section, so I thought I'd get similar results if I linked it...
>
> So when I run gpedit.msc on a DC, I see what appears to be the culprit:
> the Security Settings-Account Settings-Password Policy-Max Password Age;
> however, it only appears to be able to accept a numeric value, not a
> enable/disable option... Is this where I should make the change or do I
> need to go back to the 'Default Domain Policy' in order to accomplish
> what I need to?
>
> TIA,
> Brian


Posted by Roger Abell [MVP] on November 30, 2006, 10:54 pm
Please log in for more thread options
If you have multiple GPOs linked to the domain object, make sure
that the Account Policies are set in the highest priority of the GPOs,
or at least so that they are not overwritten by a higher priority GPO
linked to the domain. This does not have to be done in the default
domain GPO.
> Hello-
>
> I'm trying to stop the practice of having Domain user account passwords
> expire in a domain (not my idea).
>
> I thought by creating a new GPO & linking it to the root of the domain -
> that would work. Doesn't seem so (gpresult shows the GPO applying to the
> Computer Settings, but on the user Settings, I get Filtering: Not Applied
> (Empty)) I'm assuming this because the settings are in the Computer
> Config section & not User...
>
> A lot of posts mention linking the 'Default Domain Policy' GPO to the
> domain to do this, but the Max Password Age is in the Computer Setting
> section, so I thought I'd get similar results if I linked it...
>
> So when I run gpedit.msc on a DC, I see what appears to be the culprit:
> the Security Settings-Account Settings-Password Policy-Max Password Age;
> however, it only appears to be able to accept a numeric value, not a
> enable/disable option... Is this where I should make the change or do I
> need to go back to the 'Default Domain Policy' in order to accomplish what
> I need to?
>
> TIA,
> Brian



Similar ThreadsPosted
Local Security Policy MMC secpol.msc error on Windows Server 2003 March 9, 2007, 10:01 am
Default Domain Controllers Policy scope May 15, 2006, 11:26 am
Default domain controllers policy not applied to my server (2k3 sbs) January 3, 2006, 8:32 am
Reset Group Policy back to out of the box default August 28, 2006, 11:19 am
Can login domain be set to a default? August 31, 2005, 2:09 am
Default Domain Users group March 24, 2008, 1:59 pm
Domain Controller Security Policy August 12, 2005, 4:31 pm
Windows 2003 domain password policy September 26, 2006, 9:53 pm
Domain Security Policy -> Access is denied for Administrator July 17, 2006, 7:04 am
Domain Controller Policy setting "Allow log on through Terminal Services" April 1, 2008, 12:01 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap