help with the order of processing AD GP's and local GPS

Hello,

Im my domain, users have 3 policies aplied. All 3 policies have set 'interactive login remind users 3 days before password expires'

There local GP though has this same value set to 14 days?? how is this happening? i thought local policy is applied first upon login and then domain policies applied.

Should i tick enforce on teh AD GP policies?

please advise

Thanks,

acetateAsked:
Who is Participating?
 
elbereth21Commented:
Policies are applied this way:
1)Local Machine Policies
2)Site group policies
3)Domain group policies
4)Organizational Unit group policies
and, unless you are using enforced/No override, the last settings applied are effective.
Remember though, that Security policies are applied at the domain level only and that local security policies are present on the machine even though they are ineffective as long as there is a Domain Security policy applied.
0
 
acetateAuthor Commented:
hello,

so does this mean i should tick enforce on the domain group or organizantial group policies in order to have there policies applied regardless?

0
 
elbereth21Commented:
If I understand you correctly, your problem is that you have policies regarding those reminders applied to domain and you don't see them applied? This should not happen if your machines are joined to a domain, even if you do not set those policies as enforced. Just a question: when you say "Their local GP though has this same value set to 14 days" are you talking about local machine policy (as I believe) or are you saying that users of those PCs receive a reminder two weeks before the password expires?
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
acetateAuthor Commented:
hello,

yes, the policys appear to have not applied, or have been overwritten. all machines are joined the the domain. The local GP of the pcs has 14 days on the value for password reminders. all domain and OU level AD GPs have 3 days?? this doesnt make any sense to me.

so im thinking of turning on enforcment at the domain level

any thoughts?
0
 
elbereth21Commented:
You might try with enforced policies, anyway, before doing that, are you sure those users have at least "read and apply" right on those policies? Is it possible that some kind of filtering (based on some Windows groups) is applied?
After checking these settings turn on enforcement at the domain level, as you proposed.
0
 
acetateAuthor Commented:
i have jsut checked my servers. they have 2 values, one value is local settings, this value is at 14 days, the other is effective setttings, this is at 3 days.

which one does the server use in different senerios and why???

thanks
0
 
elbereth21Commented:
I suggest you to follow this link:
http://www.oreilly.com/catalog/mwin2reg/chapter/ch07.html
and consider especially this explanation:
" The local GPO

Regardless of whether a computer is part of an Active Directory environment or operates as a standalone machine, every system running Windows 2000 stores exactly one local group policy object (LGPO).[1] The LGPO contains the primary policies for that computer and the users on it. For a standalone Windows 2000 machine, these are the only group policies the computer sees. When the computer is component of a site, domain, or organization unit, nonlocal GPOs join and take precedence over the LGPO. If there's a conflict between LGPO policy settings and settings from the more influential nonlocal GPOs, the LGPO settings are overwritten.

    TIP:  

    GPO Rule #1: since local settings are applied first, they're always overwritten by settings in inherited nonlocal GPOs.  "

As I stated in my first post, the last applied settings are always the "winning" ones, so the fact you see two values on your local policies is not  a problem: you have to look at the values marked as "effective". If unjoined your servers from the domain, local policies would take precedence; if instead you log on locally with a local account (such as local administrator), while being joined to a domain, you'll see applied domain policies for Computer Configuration, BUT local policies for User Configuration. This behaviour stems from the fact that domain group policies related to computer configuration are applied BEFORE a user logs in.

I hope I explained in a reasonably clear way this concept, which is not that simple. Anyway, feel free to ask if you have doubts.
0
 
elbereth21Commented:
Sorry to bug you acetate, but I do not understand this B grade: could you possibly explain it?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.