cnoblesd01
asked on
Local Group Policy on Domain Controller.
Hi All - To start this off on the right foot; I know, it doesn't work this way. So with that said...
I have a situation where users in a domain have password policies (length, time, etc..) However, when I pull the resultant set of policies for those users, there are NO policies pertaining to passwords. If I manually look at the Default Domain Policy, Default Domain Controller Policy, or any other policy that is applied to the user OU (and I know this should only be applied from default domain policy) - there is NO policy set; they all show as "not defined". So I opened the local policy on the DC ... this is where I find the policy for passwords that match the behavior the users experience (length, time, etc..).
HOW is this possible? The GUID used should be completely different, no? Any help is appreciated.
Thanks!
I have a situation where users in a domain have password policies (length, time, etc..) However, when I pull the resultant set of policies for those users, there are NO policies pertaining to passwords. If I manually look at the Default Domain Policy, Default Domain Controller Policy, or any other policy that is applied to the user OU (and I know this should only be applied from default domain policy) - there is NO policy set; they all show as "not defined". So I opened the local policy on the DC ... this is where I find the policy for passwords that match the behavior the users experience (length, time, etc..).
HOW is this possible? The GUID used should be completely different, no? Any help is appreciated.
Thanks!
ASKER
oBdA,
Thank you for your prompt response! The issue is, I cannot find a single password policy linked to the root. There is but one policy (default domain policy) applied to the root which shows all policies as "not defined". RSoP clearly indicates no password policies - and I am running gpmc on the PDC emulator DC. So as you indicated, the password policy MUST be linked to the root; so how does the "Local Computer Policy" on the DC control the AD behavour for users?
Thanks again ... hope I'm not missing the obvious here!
Thank you for your prompt response! The issue is, I cannot find a single password policy linked to the root. There is but one policy (default domain policy) applied to the root which shows all policies as "not defined". RSoP clearly indicates no password policies - and I am running gpmc on the PDC emulator DC. So as you indicated, the password policy MUST be linked to the root; so how does the "Local Computer Policy" on the DC control the AD behavour for users?
Thanks again ... hope I'm not missing the obvious here!
If there's no password policy configured linked to the domain root, the local setting will be used. Changing this is only good for a world of pain, where it depends on the DC which password policy is applied ...
ASKER
oBdA,
Thanks yet again. I duplicated this in a lab tonight and it performed as you suggested. I'm assuming this behavior is specifically related to the PDC Emulator, and duplicating the policy on other DC's would have no impact on the domain if the DC with the PDC Emulator was off-line? Until the PDC Emulator role was siezed anyway...
Thanks yet again. I duplicated this in a lab tonight and it performed as you suggested. I'm assuming this behavior is specifically related to the PDC Emulator, and duplicating the policy on other DC's would have no impact on the domain if the DC with the PDC Emulator was off-line? Until the PDC Emulator role was siezed anyway...
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Check here for details:
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx