SBS 2003 Default domain policy vs. SBS Domain password policy

I have a server with Windows Small Business Server 2003 R2 installed, for which I'm looking to implement password policies. However I've noticed that in group policies that there are two policies which setup the maximum password age,length, complexity etc. These are:

Default Domain Policy
Small Business Server Domain Password Policy

When I use the SBS2003 wizard to setup the policy the 'Small Business Server Domain Password Policy' is updated but the 'Default Domain Policy' is not updated.

Which policy will overwrite the other policy?

They are both linked and located under domain.local on the tree?

Also I've noticed that some of the settings of 'Default Domain Policy' are also replicated in the 'Small Business Server Lockout Policy'.

So I need to know is this correct and wil lthe 'SBS Domain Password Policy' overrule the 'Default Domain Policy'

Any help would be appreciated
agdickinsonAsked:
Who is Participating?
 
weareitConnect With a Mentor Commented:
Small Business Server is packaged to run with the least amount of effort from the Administrator, which is why there are wizards for virtually everyting.  In the Small Business Server environment, it is *not recommended* to change anything manually that is handled by the wizards: User Account Creation, Printer Sharing, File Shareing, etc...

Small Business Server accomplishes most of this least Administrator effort via policies.  The policy sets you see are the sets that Small Business Server implements by default and therefore are not to be explicitly modified otherwise...  However, in the scheme of things, the Small Business Server uses it's own Small Business Server Policy merged with the Default Domain Policy...

-saige-
0
 
DeanC30Connect With a Mentor Commented:
The order in which GPO's are applied is as follows;
Local Policy
Site Policy
Domain Policy
OU Policy.  

If more than one policy is linked to the same level  (i.e.  You have 2 policies linked to the domain) then the policy highest in the list will be applied last and as such will overwrite any conflicting policies.  
This is the default behaviour.  You can flag a policy so that no settings are overwritten by any further polices.  
Also remember that GPOs are cumlative and only CONFLICTING settings are overwritten

Hope this helps
0
 
weareitCommented:
In small business server, the domain is geared to use all of the small business policies...  This is by design...

-saige-
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
weareitCommented:
In other words, I am saying that the behaviour that you are seeing is by design...

-saige-
0
 
agdickinsonAuthor Commented:
Hi,
Under the domain.local listing in Group Policy the order is

Default Domain Policy
Small Business Server - Windows Vista Policy
Small Business Server Domain Password Policy
0
 
agdickinsonAuthor Commented:
When I run the 'Configure Password Policies' wizard under Server Management the
'Small Business Server Domain Password Policy' is updated, but the 'Default Domain Policy' is not touched and this comes before the one updated by the wizard.

What security filtering should be setup on the GPO's?

0
 
Brian PiercePhotographerCommented:
If you do not need security filtering then leave it alone - this is used to prevent policies applying to selected groups
0
 
weareitCommented:
I should say: Small Bussiness Server Policies (as there are multiple) merged with the Default Domain Policy...

-saige-
0
 
agdickinsonAuthor Commented:
So will any changes I make using the wizards replicate themselves into the 'Default Domain Policy' as certain settings in this seem to conflict with settings in GPO objects starting with 'Small Business Server....'.

From what I can see any changes made by the wizards will be overwritten by the 'Default Domain Policy' as this is at the top of the Xircon.local domain.
0
 
agdickinsonAuthor Commented:
What should the 'location' and 'security filtering' be by default for the following Group Policy Objects as I modified some in error and need to change back. (I come from a Windows 2003 background so was not used to SBS 2003 wizards until I backed out all the changes to use the wizards for everything now).

Default Domain Policy
Small Business Server Domain Password Policy
Small Business Server Autditing Policy
Small Business Server Lockout Policy

0
 
weareitCommented:
As I stated the Small Business Server Policies merge with the Default Domain Policy.  No policies in the Default Domain Policy are set when running any of the Small Business Server Wizards.

-saige-
0
 
agdickinsonAuthor Commented:
Hi -saige-

So sorry to sound a bit slow.. been a long week so far...

Small Business Server Domain Password Policy

has been updated by the 'Configure Password Polices' to have 'password age of 60 days' and 'password length of 8 characters'.

But the default domain policy has password age and password length set to 0 and 0.

So the SBS Password policy merges in and sets the settings to 60 days and 8 characters right?
0
 
agdickinsonAuthor Commented:
Ok just tested it so it merges up so any changes merge up into the default domain policy.

Thanks for the help -saige'
0
 
weareitCommented:
I understand, been a rough week for me to man...  Yes, you are exactly correct though, the merge means that it applies the Small Business Server Domain Password Policie over the Default Domain Policies...

-saige-
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.