| Author | Messages | |
albracco
Posts:2
 | | 03/10/2010 4:54 PM |
| having a strange problem with only part of a GPO seemingly being applied:
Windows 2003 AD. Single domain with two organizational units. besides
the default domain policy, which is link enabled to the doman but not
enforced, the organizational units have their own group policy. I
wanted to setup different account/password policies for each of the
OU. I edited each policy and made the account policy changes under
computer configuration. If I look at the settings for the policy in
GPM, the changes I made are there
If I look at the GP inheritance tab for the OU, it shows the OU
policy as primary and enforced, with the default domain policy as
secondary, but not enforced. If I look at the Linked Group Policy
Objects Tab, it shows just the OU policy and it is enforced and link enabled.
The problem is that the account policy changes I have made are not
being implemented. For example, I set password complexity, but can
still create a non-complex password. I ran gpupdate /force on the
client and have rebooted also.
Here's where the problem lies: If I run the GPR wizard on one of the
clint PCs, using a login account from the OU, it shows that the OU
policy was applied for Windows settings, but not for Computer
settings. It also shows the default domain policy as applied for both
Windows and User settings.
I'm not sure at this point where to look next. Appreciate any
guidance you can give.
Thanks
Al
Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional
Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com
www.go2unix.com
| | | |
| jeromelcruz
Posts:120
| | 03/10/2010 7:32 PM |
| Al,
Unless you have Windows Server 2008 Domain Controllers running at the W2K8 Forest Functionality level, you cannot specify more than a single set of Account Policy setting policies. The settings that apply are the ones located at the root of the domain (in your case, the Default Domain Policy). This is because the DCs read those 'domain root' GP settings (and only those) and stamp them as properties on the domain root object.
The reason that you can seem to apply Policy Settings at lower OU levels is because the Microsoft model allows these settings to apply to the 'local SAM accounts' on member servers and PCs-not to 'Domain Accounts' logging onto them. So... if you are using local PC or local server accounts, the OU level policy setting will apply to them, but only to them.
If you ARE using W2K8 DCs running at the W2K8 Forest Functional level, then you 'can' apply different Account Policy settings using a newer feature call Fine Grained Passwords. You can read about these at the MS TechNet web site. http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Al Bracco
Sent: Wednesday, March 10, 2010 8:49 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Partial GPO applied
having a strange problem with only part of a GPO seemingly being applied:
Windows 2003 AD. Single domain with two organizational units. besides the default domain policy, which is link enabled to the doman but not enforced, the organizational units have their own group policy. I wanted to setup different account/password policies for each of the OU. I edited each policy and made the account policy changes under computer configuration. If I look at the settings for the policy in GPM, the changes I made are there
If I look at the GP inheritance tab for the OU, it shows the OU policy as primary and enforced, with the default domain policy as secondary, but not enforced. If I look at the Linked Group Policy Objects Tab, it shows just the OU policy and it is enforced and link enabled.
The problem is that the account policy changes I have made are not being implemented. For example, I set password complexity, but can still create a non-complex password. I ran gpupdate /force on the client and have rebooted also.
Here's where the problem lies: If I run the GPR wizard on one of the clint PCs, using a login account from the OU, it shows that the OU policy was applied for Windows settings, but not for Computer settings. It also shows the default domain policy as applied for both Windows and User settings.
I'm not sure at this point where to look next. Appreciate any guidance you can give.
Thanks
Al
Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional
Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com
<http://www.opensystemscomputing.com/>www.go2unix.com
<http://www.go2unix.com/>
| | | |
| albracco
Posts:2
| | 03/10/2010 7:51 PM |
| Jerome,
It is Windows 2003 and I've never used anything
other than the default policy before, so I was
unaware of that restriction. Sounds like they
will have to stick with a single account policy
for now. I'll use that as another reason why they should upgrade!
I'll test this out next week. Thanks for the quick answer!
Al
At 02:26 PM 3/10/2010, you wrote:
>Al,
>
>Unless you have Windows Server 2008 Domain
>Controllers running at the W2K8 Forest
>Functionality level, you cannot specify more
>than a single set of Account Policy setting
>policies. The settings that apply are the ones
>located at the root of the domain (in your case,
>the Default Domain Policy). This is because the
>DCs read those domain root GP settings (and
>only those) and stamp them as properties on the domain root object.
>
>The reason that you can seem to apply Policy
>Settings at lower OU levels is because the
>Microsoft model allows these settings to apply
>to the local SAM accounts on member servers
>and PCsnot to Domain Accounts logging onto
>them. So
if you are using local PC or local
>server accounts, the OU level policy setting
>will apply to them, but only to them.
>
>If you ARE using W2K8 DCs running at the W2K8
>Forest Functional level, then you can apply
>different Account Policy settings using a newer
>feature call Fine Grained Passwords. You can
>read about these at the MS TechNet web site.
><http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx>http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
>
>
>Jerry Cruz | Group Policies Product Manager |
>Windows Server and Infrastructure Architecture | Boeing IT
>
>From: xxxxxxxxxxxxxxxx
>[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Al Bracco
>Sent: Wednesday, March 10, 2010 8:49 AM
>To: xxxxxxxxxxxxxxxx
>Subject: [gptalk] Partial GPO applied
>
>having a strange problem with only part of a GPO seemingly being applied:
>
>Windows 2003 AD. Single domain with two
>organizational units. besides the default domain
>policy, which is link enabled to the doman but
>not enforced, the organizational units have
>their own group policy. I wanted to setup
>different account/password policies for each of
>the OU. I edited each policy and made the
>account policy changes under computer
>configuration. If I look at the settings for
>the policy in GPM, the changes I made are there
>
>If I look at the GP inheritance tab for the OU,
>it shows the OU policy as primary and enforced,
>with the default domain policy as secondary, but
>not enforced. If I look at the Linked Group
>Policy Objects Tab, it shows just the OU policy
>and it is enforced and link enabled.
>
>The problem is that the account policy changes I
>have made are not being implemented. For
>example, I set password complexity, but can
>still create a non-complex password. I ran
>gpupdate /force on the client and have rebooted also.
>
>Here's where the problem lies: If I run the GPR
>wizard on one of the clint PCs, using a login
>account from the OU, it shows that the OU policy
>was applied for Windows settings, but not for
>Computer settings. It also shows the default
>domain policy as applied for both Windows and User settings.
>
>I'm not sure at this point where to look next.
>Appreciate any guidance you can give.
>
>Thanks
>
>Al
>
>
>Al Bracco
>GIAC Certified Computer Security Analyst
>Microsoft, Linux and SCO Certified Professional
>
>Open Systems Computing Corp
>1341 Hamburg Turnpike
>Suite 2, Floor 2
>Wayne, NJ 07470
>973-709-9400
>973-709-9410 (fax)
>www.opensystemscomputing.com
>www.go2unix.com
Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional
Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com
www.go2unix.com
| | | |
| Syspro
Posts:0
| | 03/10/2010 8:15 PM |
| Hi,
This behaviour becomes easier to understand if you ask "who makes the
decision?". When you logon to the domain, it is not the user who decides
password policy, nor is it the user's workstation. It is the Domain
Controller.
So, you need to ask which policy is in effect on the domain controller. In
your case, it is the Default Domain Policy.
When you logon to the local machine, it is the local machine that decides
the password policy. So in this case it is the password policy that is
applied to the local machine. Which will be the ones at the OU level.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Al Bracco
Sent: Thursday, 11 March 2010 6:46 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Partial GPO applied
Jerome,
It is Windows 2003 and I've never used anything other than the default
policy before, so I was unaware of that restriction. Sounds like they will
have to stick with a single account policy for now. I'll use that as another
reason why they should upgrade!
I'll test this out next week. Thanks for the quick answer!
Al
At 02:26 PM 3/10/2010, you wrote:
Al,
Unless you have Windows Server 2008 Domain Controllers running at the W2K8
Forest Functionality level, you cannot specify more than a single set of
Account Policy setting policies. The settings that apply are the ones
located at the root of the domain (in your case, the Default Domain Policy).
This is because the DCs read those 'domain root' GP settings (and only
those) and stamp them as properties on the domain root object.
The reason that you can seem to apply Policy Settings at lower OU levels is
because the Microsoft model allows these settings to apply to the 'local SAM
accounts' on member servers and PCs-not to 'Domain Accounts' logging onto
them. So. if you are using local PC or local server accounts, the OU level
policy setting will apply to them, but only to them.
If you ARE using W2K8 DCs running at the W2K8 Forest Functional level, then
you 'can' apply different Account Policy settings using a newer feature call
Fine Grained Passwords. You can read about these at the MS TechNet web site.
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Jerry Cruz | Group Policies Product Manager | Windows Server and
Infrastructure Architecture | Boeing IT
From: xxxxxxxxxxxxxxxx [ <mailto:xxxxxxxxxxxxxxxx>
mailto:xxxxxxxxxxxxxxxx] On Behalf Of Al Bracco
Sent: Wednesday, March 10, 2010 8:49 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Partial GPO applied
having a strange problem with only part of a GPO seemingly being applied:
Windows 2003 AD. Single domain with two organizational units. besides the
default domain policy, which is link enabled to the doman but not enforced,
the organizational units have their own group policy. I wanted to setup
different account/password policies for each of the OU. I edited each policy
and made the account policy changes under computer configuration. If I look
at the settings for the policy in GPM, the changes I made are there
If I look at the GP inheritance tab for the OU, it shows the OU policy as
primary and enforced, with the default domain policy as secondary, but not
enforced. If I look at the Linked Group Policy Objects Tab, it shows just
the OU policy and it is enforced and link enabled.
The problem is that the account policy changes I have made are not being
implemented. For example, I set password complexity, but can still create a
non-complex password. I ran gpupdate /force on the client and have rebooted
also.
Here's where the problem lies: If I run the GPR wizard on one of the clint
PCs, using a login account from the OU, it shows that the OU policy was
applied for Windows settings, but not for Computer settings. It also shows
the default domain policy as applied for both Windows and User settings.
I'm not sure at this point where to look next. Appreciate any guidance you
can give.
Thanks
Al
Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional
Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com <http://www.go2unix.com/>
www.go2unix.com
Al Bracco
GIAC Certified Computer Security Analyst
Microsoft, Linux and SCO Certified Professional
Open Systems Computing Corp
1341 Hamburg Turnpike
Suite 2, Floor 2
Wayne, NJ 07470
973-709-9400
973-709-9410 (fax)
www.opensystemscomputing.com <http://www.opensystemscomputing.com/>
www.go2unix.com <http://www.go2unix.com/>
| | | |
|
|