Group Policy Windows applied on Local Administrator Account
Hi all,
I have an AD Windows 2003 server with a specific group policy account for all end users of the windows domain. I would like to know if the group policy account is applied on the local administrator account. (eg. password length, password lockout etc).
If not can I enforce a specific group policy or a local security policy for this local administrator account.
And how is it possible to check the policy for the local adminisratorr account (command, etc)
Please give some references with your answer.
Thanks!
I have an AD Windows 2003 server with a specific group policy account for all end users of the windows domain. I would like to know if the group policy account is applied on the local administrator account. (eg. password length, password lockout etc).
If not can I enforce a specific group policy or a local security policy for this local administrator account.
And how is it possible to check the policy for the local adminisratorr account (command, etc)
Please give some references with your answer.
Thanks!
If you apply a domain password policy, apply it to where the domain passwords are stored: at the DC. You don't need to apply it to workstations. So you could do the settings at the default domain controllers policy for example.
If you would like every local account on every domain computer to follow a password policy, define a second password policy that gets applied to the domain members (workstations). This one does not affect domain accounts, only local accounts.
If you would like to configure the oplicy of local accounts of a single computer, do it locally via local gpedit.msc
If you would like every local account on every domain computer to follow a password policy, define a second password policy that gets applied to the domain members (workstations). This one does not affect domain accounts, only local accounts.
If you would like to configure the oplicy of local accounts of a single computer, do it locally via local gpedit.msc
ASKER
Thanks for your answers.
But is the domain policy also applied on the local administrator account? ( password length, password age etc)
For example if I put a password age policy at 30 days should I change the local administrator password every 30 days ? or it is only for all local users except the administator account?
But is the domain policy also applied on the local administrator account? ( password length, password age etc)
For example if I put a password age policy at 30 days should I change the local administrator password every 30 days ? or it is only for all local users except the administator account?
no it's not applied to the local users nor the administartor. It's for all domain users who authenticate against the domain. The local acocounts are modified by the gpedit.msc (local policy)
BUT note that in Windows Server 2003, the domain controllers do NOT have a local account set. All the users that log into a domain controller, log into the domain. NO LOCAL ACCOUNTS.
BUT note that in Windows Server 2003, the domain controllers do NOT have a local account set. All the users that log into a domain controller, log into the domain. NO LOCAL ACCOUNTS.
Felicien, cmarandi's answer is not really correct. It depends on where the policy is applied to: If the domain policy is applied to the workstations as well (for example settings are made inside default domain policy), then of course also the local accounts (including local admin) on every computer the default domain policy is applied to are affected. So for configuring only domain accounts I repeat: you could do the settings at the default domain controllers policy for example (or any custom policy that will only apply be linked to the domain controllers).
Hmmm. Really? Where do you set the password limitations for a local administrator of a client machine via a domain policy?
At the same spot as in the local policy.
How would it know the difference between the domain admin and the local admin at the client's machine?
ASKER
Thanks for your answers.
@Cmarandi : if the windows server 2003 is not a domain controler (only a server) it is possible to login with a local account, isn't it?
@McKnife : The question of Cmarandi 22224025 and 22224740 are two good open questions.
I think that the local policy is only applied on user accounts and not on local administrator account, is it correct?
@Cmarandi : if the windows server 2003 is not a domain controler (only a server) it is possible to login with a local account, isn't it?
@McKnife : The question of Cmarandi 22224025 and 22224740 are two good open questions.
I think that the local policy is only applied on user accounts and not on local administrator account, is it correct?
From my experience, yes that is correct. administrator is generally exempt. I think there may be a specific policy for administrators.
Also, when you apply the local policy, you get to choose the groups that it applies to. So just keep the administrators out.
And from my experience, I have never been able to modify a local machine's local user security settings such as password policies from a domain policy. It's just not there.
Yes, you can change the behavior of a client machine and a domain authenticated user's policies with a domain GPO, but not a local user.
Also, when you apply the local policy, you get to choose the groups that it applies to. So just keep the administrators out.
And from my experience, I have never been able to modify a local machine's local user security settings such as password policies from a domain policy. It's just not there.
Yes, you can change the behavior of a client machine and a domain authenticated user's policies with a domain GPO, but not a local user.
Oh and sorry, yes, you can log in locally on a server as long as it is not the domain controller. You can see it: when you try to login to a DC, you'll see that the options for the domain is just a domain. Where on member servers that are not DC, you will have a choice of logging in locally ("(this machine)") or to the domain.
A general rule is: GPOs apply to administrators, too. Everyone should know that - sometimes people lock themselves out.
@felicienfleury: 22224025 is answered in the followup next to it. ...40 is not really a complete question - difference in what? And what scenario of policies would this question relate to?
@felicienfleury: 22224025 is answered in the followup next to it. ...40 is not really a complete question - difference in what? And what scenario of policies would this question relate to?
local administrator doesn't lock out. the domain may, but not the local.
try it. I can't even think of a way to force a policy to do that.
try it. I can't even think of a way to force a policy to do that.
cmarandi, what are you talking about? "lock out" means, settings are forced to lock anything down, for example remove the run button. This will get applied to the admin, too. No need to try, there are even articles showing how to prevent this: http://windows.ittoolbox.com/groups/technical-functional/activedirectory-l/how-to-apply-group-policy-without-affecting-administrator-user-account-1694756
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Feels good to be right!
:-)
:-)
For the local policy, go sto START, RUN then type gpedit.msc
That's the local machine policy, for the user and the machine.