Sunday, May 13, 2012

You may miss something on the Password Policy in the domain environment

It isn't difficult to configure the "Password Policy" for your domain environment. However, you may miss something when you are configuring "Password Policy".

First, the "Password Policy" is under "Account Policies". Each domain can have only one Account policy. The Account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers in the domain. These domain-wide Account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these Account policy settings from the Default Domain Policy Group Policy object (GPO).


If the "Password Policy" is applied to the OU level, it affects the local GPO of the workstations.

Reference:
Domain Level Account Policies

WHY GPOS WITH PASSWORD AND ACCOUNT LOCKOUT POLICY SETTINGS MUST BE LINKED TO THE AD DOMAIN OBJECT TO BE AFFECTIVE ON AD DOMAIN USER ACCOUNTS

Second, the "Account Policies" is under "Computer Configuration". If Group Policy is disabled the  settings of "Computer Configuration", the "Password Policy" cannot be applied to the workstations.


Thirdly, make sure there is no security filter or WMI filter to be applied in GPO which will affect Domain Computers.


Fourthly, make sure the domain controller OU doesn't be configured "Block Inheritance" option.


Reference:
Changes are not applied when you change the password policy
http://support.microsoft.com/kb/269236

I hope this topic can help you when you are configuring the "Password Policy".

No comments:

Post a Comment