Question About Domain Account Policies

cnfuzzdcnfuzzd Member Posts: 208
So, in my reading, it appears that your default domain policy will always govern account policies, such as when passwords expire and such. Is this accurate? If I want to make an OU for user accounts whose passwords I want to never expire, how would I go about this if the above is accurate?


Thanks!


John
__________________________________________

Work In Progress: BSCI, Sharepoint

Comments

  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Get Server 2008 ;)

    Password policies on OUs only apply to local accounts on the computers in those OUs. Password policies are domain-wide in 2003.
  • meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    I'm sure someone will correct me if I'm wrong, but here goes:

    Group Policies are applied in DSOU order.. Domain, Site, OU. Since the OU is the last to be applied, I think that the Password Policies set in the OU would overwrite any from the Domain or Site, providing that you don't have any special settings such as Block Overwrite, etc.
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I'm sure someone will correct me if I'm wrong, but here goes:

    Group Policies are applied in DSOU order.. Domain, Site, OU. Since the OU is the last to be applied, I think that the Password Policies set in the OU would overwrite any from the Domain or Site, providing that you don't have any special settings such as Block Overwrite, etc.

    LSDOU(CH)

    Local, Site, Domain, OU, ChildOU.
    All things are possible, only believe.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    I'm sure someone will correct me if I'm wrong, but here goes:

    Group Policies are applied in DSOU order.. Domain, Site, OU. Since the OU is the last to be applied, I think that the Password Policies set in the OU would overwrite any from the Domain or Site, providing that you don't have any special settings such as Block Overwrite, etc.
    Actually it's LSDOU, and dynamik is right. In 2003 password policies applied to anywhere but the domain root only apply to local accounts.
  • cnfuzzdcnfuzzd Member Posts: 208
    so pretty much there is no way to remove the requirement on this group of users to change their passwords without breaking them out into a new domain?


    John
    __________________________________________

    Work In Progress: BSCI, Sharepoint
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    cnfuzzd wrote:
    so pretty much there is no way to remove the requirement on this group of users to change their passwords without breaking them out into a new domain?


    John

    Or by using local accounts. Which might be a viable option if it's only something like two accountants. Otherwise, yes, you'd need to make a new domain.

    Like I said originally, you could always upgrade to 2008 as well.
  • royalroyal Member Posts: 3,353
    Upgrade to Server 2008 IMO. Creating a new domain when Server 2008 has this capability is just beyond ridiculous.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • cnfuzzdcnfuzzd Member Posts: 208
    thanks guys. I am going with the third option, the "tell the users to deal with it". changing a password is not hard, and is a good idea. I was just curious as I just read this last night and its always exciting to learn something new!


    Thanks Again

    John
    __________________________________________

    Work In Progress: BSCI, Sharepoint
Sign In or Register to comment.