none
If Fine grained policy can be applied to 2003 clients

    Question

  • Hi can anybody tell me if fine grained policy can be applied to windows 2003 CLIENT machine . basically we have 2008 DCs .DOmain level is also 2008 . However we have client servers which are 2003 servers . Will fine grained policy created in 2008 Domain will be applied to 2003 . Or do i need to deploy any client side extension to 2003 client machine ?Does Client side extension supports fine grained polciy?
    Wednesday, July 17, 2013 10:52 AM

Answers

  • All,

    I have managed to fix the issue. Actually i was not setting msDS-LockoutObservationWindow and msDS-LockoutDuration as without these setting account lockout doesnt work. Both of these attributes are major one to create  a PSO.Everything else is pretty simple.

    Thanks

    Bishes

    MCP MCTS

    Tuesday, July 23, 2013 11:50 AM

All replies

  • Hello,

    Important is the functional level, this must at least be Windows server 2008 or higher.

    Just for the terms used, there is no Windows server 2003 client, either it is Windows XP or Windows server 2003 and you have configured it as Terminal server.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, July 17, 2013 11:35 AM
  • Hi Meinolf,

    Many thanks for your response. We have domain functional level as 2008. We have mixed environment where we have servers with 2003/2008 OS and Terminal server configured. I have created a PSO and applied it to 2 of our test accounts(Directly applied to windows accounts not to any security group). For both the Accounts resultant PSO is pointing to the PSO i created. But still it is not reflected. As i have given account lockout threshold to 2 invalid attempts. It is not working.Default Domian policy has 0 invalid attempts. How much time does it take to get it reflected. So we dont need to install any GP client side extension right?

    Regards

    Bishes

    MCP MCTS

    Wednesday, July 17, 2013 1:14 PM
  • Hello,

    so you have checked according to http://jorgequestforknowledge.wordpress.com/2007/09/11/determining-the-effective-pso-for-a-user/ that the settings are applied for the user?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, July 17, 2013 1:39 PM
  • Will fine grained policy created in 2008 Domain will be applied to 2003 . Or do i need to deploy any client side extension to 2003 client machine ?Does Client side extension supports fine grained policy?

    The Fine Grained Password Policies (FGPP) are dependent on the functional level and policy itself.  There is no dependency on client side extensions or whether you are on a specific windows client OS.

    Check the policy and make sure you are implementing it correctly and applying to the correct security objects.



    Wednesday, July 17, 2013 2:21 PM
  • Hi Meinolf / ITGeared,

    Thanks for your response. However i checked the permissions of the pSO which i created,all seem to be fine. I have added only 2 users to the PSO and PSO has read permission for both of them. As i earlier mentioned resultant PSO showing the right PSO. Somehow it is not working.

    IT Geared: Which policy you are mentioning here as working on PSOs does not need to amend any thing in GPO right. I created in ADSIEDIT and provided necessary permissions there only. Nothing i have modified in GPO.  Priority i have given for PSO is 2. Will it be a problem? My test here is account lockout threshold in PSO is 2 but default domain policy has 0. Accounts are not getting locked out after 2 invalid attempts.

    Regards

    Bishes

    MCP MCTS

    Friday, July 19, 2013 7:55 AM
  • I have a mixed environment as i mentioned in my earlier post.Servers with 2003 2000 and 2008 all are there. My domain functional level is 2008 R2. Am i missing something here? Can anyone please help?

    Bishes

    MCP MCTS

    Monday, July 22, 2013 2:49 PM
  • All,

    I have managed to fix the issue. Actually i was not setting msDS-LockoutObservationWindow and msDS-LockoutDuration as without these setting account lockout doesnt work. Both of these attributes are major one to create  a PSO.Everything else is pretty simple.

    Thanks

    Bishes

    MCP MCTS

    Tuesday, July 23, 2013 11:50 AM
  • Hi,

    Very glad to hear that and thanks for your good sharing.

    Have a nice day.

    Regards.


    Vivian Wang
    TechNet Community Support

    Wednesday, July 24, 2013 10:08 AM
    Moderator