Link to home
Create AccountLog in
Avatar of zingab
zingab

asked on

default domain policy - default domain controller policy

Just wanted to confirm that the password policies in the in the default domain controller policy only applies to domain controllers and users logging on to them - the default domain policy will apply to all other users outside of the domain contorller OU. ?
Avatar of itcok
itcok

False...

The Default Domain Contoller Policy contains computer security settings specific to Domain Controllers.

If you configure a passwords policies within the Default Domain Policy, it will also apply to the domain controllers.

Passwords policies are set for the domain in the default domain policy. This affects all users. You cannot set a password policy in The default domain controllers policy, even though it looks like you can set a one there.

In 2008, i belive you can have multiple password policies per OU, but not in 2003.

HTH
I'd suggest creating a Domain Contollers Password Policy GPO for your DCs and then creating a Users Password Policy GPO and apply it at the OU level.

As a rule of thumb... I always prefix my policies with "Custom - " that way I know which ones are built in and which ones I've created. I try not to make changes to the default policies unless I must.

i.e.

Custom - Domain Controllers Password Policy
Custom - Users Password Policy
Avatar of Mike Kline
In 2003 you apply the password policy at the domain level.

In 2008 (domain functional level) you can use fine grained passwords to apply different passwords to users/groups

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
Avatar of zingab

ASKER

ok so if there are password policies applied in the "default domain controller policy" i should ignore those settings (barring inheritance blocking of course) and just go by what the default domain policy has.?
yes, that will be the password policy your users will use.
Alas, this is wrong.

The default domain controllers policy has precedence here. As domain accounts are saved to a database on the domain controller, it does not even matter what policy is applied to the clients. It only matters, what policy is applied to the DCs. And in this case, the DDCP has precedence over the DDP because it is applied at OU level.
See this screenshot, I configured one (the first) setting via DDCP, it has precedence (=is the winning GPO)
GPO-Results.gif
Global Passwords policies are set for the domain in the default domain policy. This affects all users in the domain. You cannot set a password policy in The default domain controllers policy. Any policy you create here is globally applied to your OU.
Avatar of zingab

ASKER

Mcknife, what do you mean?
I mean that if there are password policies applied in the "default domain controller policy" those are indeed applied when it comes to changing any domain account! They are even applied if the default domain policy holds other values because the DDCP has precedence for the OU "Domain controllers" where your DCs reside in (by default).
What people tend to forget is that the domain accounts and passwords are held centrally on the domain controller - whenever you change your password, the DC is contacted and the DC has to approve the password, for DOMAIN accounts, the password policy is only effective on the DCs.

If you use the default domain policy to propagate password settings (which is common practice - I know), you will as well hit the clients BUT this has only effect on when it comes to changing the passwords of LOCAL accounts on those, domain accounts don't give anything for the policy that is effective at the clients, in fact you could even have different password policies for local accounts and domain accounts, one configured using the DDCP, the other using the DDP.

I hope this solved your question.

PS @yawbe - please try it to prove yourself wrong.
McKnife,

    It appears we are talking about two different things here. What I mean is that you cannot set a password for individual OU in your domain. If a password policy is set using the default domain, that policy applies to every user in the organization. I know this because I wanted to create a a password policy for certain users in my organization so i created OU for them. When I created the password policy, it looked good but did not work when I applied it. I did a lot of research on it from Microsoft web site and I was told that it is not possible.
    Password policies work effectively if you create them using the default domain password policy and this is global. That is, it affects all users in all OU under the domain.
     Users outside the domain are not affected, unless they are part of the default domain.

There is nothing for me to try. We are just answering the question posed here.


zingab,

       Password policies work effectively if you create them using the default domain password policy and this is global. That is, it affects all users in all OU under the domain.
     Users outside the domain are not affected, unless they are part of the default domain.

Avatar of zingab

ASKER

just to follow up when is there a time to configure settings on the default domain policy compared to the default domain controller policy in a  2003 domain?
For the DCs, the DDCP has precedence over the DDP. So settings that should work on DCs but nowhere should be set either on the domain controller own OU or directly at the DDCP (some might say it's no good to modify it at all but to always configure extra policies). The DDCP has some security restrictions by default that the DDP does not.
Zingab,

Use the DDCP if you want to deploy global password policy. That is, it is used for global deployment. This only pertains to password policy. You can use the DDP to deploy OU policies. Apart from password policy, you can use the DDP to deploy policies that applies to any OU in your domain.
Avatar of zingab

ASKER

still not clear...
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
A password policy applies to the entire domain.....controllers included for 2003.
...for 2008, you can have different policies per OU, referred to as fine-grained policies.

That said...
Remember that a machine policy applies to a machine no matter who logs on...while a user policy applies to a user no matter which machine they logon to.

Password policies are machine policies...
Fine-grained password policies apply only to user objects ...

2008,  A default domain policy (machine) would be in affect here if a fine grained policy was not configured.

2003 - password policy applies to everyone...everywhere... no exceptions.


I woulds suggest running RSOP to be sure which one of the answers are correct..