GPO random question

jrmeulemans

User and computer configuration

User account policies:
- password length
- lockouts
- etc

These all have to do with the user, why on earth are they found under "computer configuration?"

Every now and then I can't find a policy just from browsing directories that I would assume would be logically located there, only to find they are in a different place altogether.
Does anyone know of a good article or something that explains the structure of GPO?

dynamik

You just need to spend time with it. Things usually are fairly straight forward; password policies are one of the few really counter-intuitive areas. Just remember that password policies are applied to computers and affect all users on the computer.

RobertKaucher

Because the policies are set at the computer level, not at the user level. Password policies are blanket policies that affect all users who login. You cannot set a password policy (under normal GPO conditions) on just a certain group of users. Password policies are set at the domain level and work on all computers/servers in that domain. They are not set on users, who are mobile, and can go from PC to PC.

I'm not very happy with this explanation, but I hope it helps you understand...

RTmarc

RobertKaucher wrote: »

Because the policies are set at the computer level, not at the user level. Password policies are blanket policies that affect all users who login. You cannot set a password policy (under normal GPO conditions) on just a certain group of users. Password policies are set at the domain level and work on all computers/servers in that domain. They are not set on users, who are mobile, and can go from PC to PC.

I'm not very happy with this explanation, but I hope it helps you understand...

I think it works well.

Hyper-Me

and, at least for the password policy, you are going to set that once in the Default Domain Policy and leave it, if you are going to utilize the granular policies you have to create PSO's and apply those to users/groups.