Link to home
Create AccountLog in
Avatar of cnoblesd01
cnoblesd01

asked on

Local Group Policy on Domain Controller.

Hi All - To start this off on the right foot; I know, it doesn't work this way.  So with that said...

I have a situation where users in a domain have password policies (length, time, etc..)  However, when I pull the resultant set of policies for those users, there are NO policies pertaining to passwords.  If I manually look at the Default Domain Policy, Default Domain Controller Policy, or any other policy that is applied to the user OU (and I know this should only be applied from default domain policy) - there is NO policy set; they all show as "not defined".  So I opened the local policy on the DC ... this is where I find the policy for passwords that match the behavior the users experience (length, time, etc..).
HOW is this possible?  The GUID used should be completely different, no?  Any help is appreciated.
Thanks!
Avatar of oBdA
oBdA

This is quite normal, expected, and "possible" because the password policy in a W2k3 domain is a *computer* configuration setting. The password policy *has* to be linked to the domain root, and it *has* to be applied to the DCs (the *account* *database*, not individual users). That means as well that there can only be one single password policy *per* *domain* in a W2k3 AD (only a W2k8 AD allows more granular policies); a password policy applied to an OU will only apply to *local* accounts on computers in or below that OU.
Check here for details:
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Avatar of cnoblesd01

ASKER

oBdA,

Thank you for your prompt response!  The issue is, I cannot find a single password policy linked to the root.  There is but one policy (default domain policy) applied to the root which shows all policies as "not defined".  RSoP clearly indicates no password policies - and I am running gpmc on the PDC emulator DC.  So as you indicated, the password policy MUST be linked to the root; so how does the "Local Computer Policy" on the DC control the AD behavour for users?

Thanks again ...  hope I'm not missing the obvious here!
If there's no password policy configured linked to the domain root, the local setting will be used. Changing this is only good for a world of pain, where it depends on the DC which password policy is applied ...
oBdA,

Thanks yet again.  I duplicated this in a lab tonight and it performed as you suggested.  I'm assuming this behavior is specifically related to the PDC Emulator, and duplicating the policy on other DC's would have no impact on the domain if the DC with the PDC Emulator was off-line?  Until the PDC Emulator role was siezed anyway...



ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer