local policy vs. group policy

[swabs]

Is it possible to set the password policy on a single machine to higher security than other machines on the domain? We are implementing citrix and we would like to have an 8 character minimum for remote users and complex passwords.
The rest of the domain currently has a 6 character minimum. Can a local policy override the default domain policy? It doesn't seem to.
Any ideas?

thanks

 

[ReddLefty]

You might want to look into the option of adding the Citrix server in it's own OU and add a Group Policy with Blocked Policy Inheritance enabled.





"In space, nobody can hear you click..."

 

[swabs]

Reddlefty,
thanks for the suggestion, but blocking policy inheritance doesn't override password policies. It is a one for domain policy only. It looks like I will have to make a child domain in order to accomplish this.
thanks,
Ben

 

[desktoprat]

Policies are applied in the following order

Local
Site
Domain
OU

Unless changed by a policy later in the order, your settings stick. So, Reddlefty's suggestion would work. The domain may be set for 6 characters, but the next one in line is the OU. If the Citrix OU has a policy set for 8 characters, that would be the final policy applied.

 

[swabs]

desktop,
Thanks for the reply. I was also taught the LSD-O order for policies, but I don't think it works in the real world. I have tried setting the local policy several times and it doesn't override the Default domain policy.
I think password policy is a special case that is outside the scope of the LSD-O order. But I would love it if it wasn't.
thanks,
Ben

 

[desktoprat]

Hmmph, guess I should have tried testing on my own before answering.

Anyway, while thumbing through old issues of WIndows & .Net magazines tonight....in particular, the Sept 2003 issue.

Instantdoc 39772

"...block policy inheritance.. This settings blocks all policies defined in the Default Domain Policy except for Password, Lockout and forcibly disconnect users when logon hours expire policies from applying to your DCs. Because AD enforces only one Password, Lockout and Forcibly disconnect users when logon hours expire policy for all domain users, AD reads only GPOs linked to the root fo the domain."

I stand corrected, sorry.

 

[pcmystro]

There is on last thing you can do but it will null and void the benefit of Active Directory for policy Management on those computers.
You can apply 'User Loopback group policy processing mode' Read the details for the policy under:
Computer Configuration
>Administrative Templates
>>System
>>>Group Policy

be certain you have not disabled it domain wide in another GPO elsewhere.

 

[GuyThomas]

What about creating a new policy at the DOMAIN level - naturally. Make it as viscious as you like, but set the security such that it only applies to the one machine.

Remove Authenticated Users, and just add the computer name to that policy. (Make sure your View, Advanced, then use the Security Tab)

See more on Group Policies here.

http://www.computerperformance.co.uk/w2k3/W2K3_group_policy.htm

Guy Thomas

Scripting Ezine

http://computerperformance.co.uk/ezine/newsletter_subs.htm