• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1245
  • Last Modified:

SBS 2003 Default domain policy vs. SBS Domain password policy

I have a server with Windows Small Business Server 2003 R2 installed, for which I'm looking to implement password policies. However I've noticed that in group policies that there are two policies which setup the maximum password age,length, complexity etc. These are:

Default Domain Policy
Small Business Server Domain Password Policy

When I use the SBS2003 wizard to setup the policy the 'Small Business Server Domain Password Policy' is updated but the 'Default Domain Policy' is not updated.

Which policy will overwrite the other policy?

They are both linked and located under domain.local on the tree?

Also I've noticed that some of the settings of 'Default Domain Policy' are also replicated in the 'Small Business Server Lockout Policy'.

So I need to know is this correct and wil lthe 'SBS Domain Password Policy' overrule the 'Default Domain Policy'

Any help would be appreciated
0
agdickinson
Asked:
agdickinson
2 Solutions
 
DeanC30Commented:
The order in which GPO's are applied is as follows;
Local Policy
Site Policy
Domain Policy
OU Policy.  

If more than one policy is linked to the same level  (i.e.  You have 2 policies linked to the domain) then the policy highest in the list will be applied last and as such will overwrite any conflicting policies.  
This is the default behaviour.  You can flag a policy so that no settings are overwritten by any further polices.  
Also remember that GPOs are cumlative and only CONFLICTING settings are overwritten

Hope this helps
0
 
weareitCommented:
In small business server, the domain is geared to use all of the small business policies...  This is by design...

-saige-
0
 
weareitCommented:
In other words, I am saying that the behaviour that you are seeing is by design...

-saige-
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
agdickinsonAuthor Commented:
Hi,
Under the domain.local listing in Group Policy the order is

Default Domain Policy
Small Business Server - Windows Vista Policy
Small Business Server Domain Password Policy
0
 
agdickinsonAuthor Commented:
When I run the 'Configure Password Policies' wizard under Server Management the
'Small Business Server Domain Password Policy' is updated, but the 'Default Domain Policy' is not touched and this comes before the one updated by the wizard.

What security filtering should be setup on the GPO's?

0
 
weareitCommented:
Small Business Server is packaged to run with the least amount of effort from the Administrator, which is why there are wizards for virtually everyting.  In the Small Business Server environment, it is *not recommended* to change anything manually that is handled by the wizards: User Account Creation, Printer Sharing, File Shareing, etc...

Small Business Server accomplishes most of this least Administrator effort via policies.  The policy sets you see are the sets that Small Business Server implements by default and therefore are not to be explicitly modified otherwise...  However, in the scheme of things, the Small Business Server uses it's own Small Business Server Policy merged with the Default Domain Policy...

-saige-
0
 
KCTSCommented:
If you do not need security filtering then leave it alone - this is used to prevent policies applying to selected groups
0
 
weareitCommented:
I should say: Small Bussiness Server Policies (as there are multiple) merged with the Default Domain Policy...

-saige-
0
 
agdickinsonAuthor Commented:
So will any changes I make using the wizards replicate themselves into the 'Default Domain Policy' as certain settings in this seem to conflict with settings in GPO objects starting with 'Small Business Server....'.

From what I can see any changes made by the wizards will be overwritten by the 'Default Domain Policy' as this is at the top of the Xircon.local domain.
0
 
agdickinsonAuthor Commented:
What should the 'location' and 'security filtering' be by default for the following Group Policy Objects as I modified some in error and need to change back. (I come from a Windows 2003 background so was not used to SBS 2003 wizards until I backed out all the changes to use the wizards for everything now).

Default Domain Policy
Small Business Server Domain Password Policy
Small Business Server Autditing Policy
Small Business Server Lockout Policy

0
 
weareitCommented:
As I stated the Small Business Server Policies merge with the Default Domain Policy.  No policies in the Default Domain Policy are set when running any of the Small Business Server Wizards.

-saige-
0
 
agdickinsonAuthor Commented:
Hi -saige-

So sorry to sound a bit slow.. been a long week so far...

Small Business Server Domain Password Policy

has been updated by the 'Configure Password Polices' to have 'password age of 60 days' and 'password length of 8 characters'.

But the default domain policy has password age and password length set to 0 and 0.

So the SBS Password policy merges in and sets the settings to 60 days and 8 characters right?
0
 
agdickinsonAuthor Commented:
Ok just tested it so it merges up so any changes merge up into the default domain policy.

Thanks for the help -saige'
0
 
weareitCommented:
I understand, been a rough week for me to man...  Yes, you are exactly correct though, the merge means that it applies the Small Business Server Domain Password Policie over the Default Domain Policies...

-saige-
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now