Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD Password Policy ??

Status
Not open for further replies.
bran2235

bran2235

IS-IT--Management
Feb 13, 2002
703
US
Hello everyone,

I need to put a PW policy in very soon. Can someone tell me if the below is the correct way:

1.) We have a single domain/site so I went to ROOT level and added new policy ("Domain PW Policy"), and checked the box for "No Override" (??- saw this on MS site, why do I do this??)
2. I moved the new policy to the top of the list
3.) I did not touch the Default Domain Policy
4.) When the time comes to put this in place I will adjust the GPO accordingly...

One More Question:
Since I checked "No Override" for the New PW Policy (GPO), is this going to mess up my Domain (default) Kerberos settings? I noticed that the Kerberos setting had whole bunch of settings in the Default Domain GPO.. Should I match/copy these here to the new PW Policy GPO? I think the new PW POLICY is going to override the Default Domain Policy and thus override the kerberos settings there...

Help!

Thanks!
Brandon
 
Sort by date Sort by votes
Your default domain policy is the one that should be configured with the password lockdown. The "No Override" means that no other policy configured can "override" this one. Its up to you how complex you want to make things, but you want to leave that unchecked and it wont matter where it's placed in the list. It makes it much easier to troubleshoot as well. You want every workstation and server in the domain to follow these requirements, so it will affect anything that uses it. Thats how it should be..all or nothing.

pbxman
Systems Administrator

Please let Tek-Tips members know their posts were helpful.
 
Upvote 0 Downvote
Are you saying scrap the new GPO all together? Everywhere I read says to create a new GPO(?)

So, in short, make my password policies at the Default Domain Policy???


Thanks,
Brandon
 
Upvote 0 Downvote
The reason why you would want to make your own pw policy is quite simple. Using no override is correct. The same policy (it is a computer configuration policy - so remember to diable the user configuration) must be set on all computers - including DC's).

However the Default domain policy can have others settings - for example - locking down a desktop or setting offline folders or whatever - which you may not want to force onto servers or DC's.

Your approach is absolutely correct.

GL

Martyn
 
Upvote 0 Downvote
Should I match/copy these here to the new PW Policy GPO? I think the new PW POLICY is going to override the Default Domain Policy and thus override the kerberos settings there...
"

No you don't need to. The new policy will only override settings that are defined in the new policy. Considering that you are only defining password settings in the new policy, the kerberos settings defined in the default policy will remain in place. Any settings that are "not configured" will not override settings in other policies.



Ben Christian
MCSE, MCSA:Messaging
 
Upvote 0 Downvote
Atomic-

..."The same policy (it is a computer configuration policy - so remember to diable the user configuration) must be set on all computers - including DC's)."

Can you explain (sorry) what you mean here?


Thanks!
Brandon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
772
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
340
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
509
DTGMI
DTGMI
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
228
strongm
strongm
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
957
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top