none
Should the Default Domain Policy be enforced ?

    Question

  • The question is for both 2003 and 2008 domains.  It is not enforced by default so what impact will that have if a site admin managing their site OU blocks inheritance will password policy get applied ?  I would have thought in most scenarios you would want the DDP to be enforced so why is it not configured by default ?

    Interested to get peoples views on this.

    Thursday, May 17, 2012 10:16 AM

Answers

  • Your understanding is correct and normally, you don't require enforce or block inheritance GPO settings under ordinary circumstances. Account lockout as well as password policy will be applied regardless of the block inheritance because it is applied on the computers not on the users. Password policy is part of the computer configuration and yes, it has to be applied at the domain level.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Tech11-EU Friday, May 18, 2012 1:51 PM
    • Marked as answer by ITForum2013 Monday, May 21, 2012 1:18 PM
    Thursday, May 17, 2012 11:08 AM
    Moderator

All replies

  • No, you don't have to force Dfeault Domain policy in case of password inheritance. In domain you can use only one password policy over GPO. Please check an article on my blog for Domain Password policy at

    http://kpytko.wordpress.com/2012/05/16/domain-password-policy/

    Default Domain policy is the only one policy defined by default during AD creation and it is applied at domain level. Many settings are set up there as startup options and you can simply adjust them as you wish. Many of them are not enabled and you can use your own GPOs but I don't think it is necessary to force DDP in this case.


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    • Proposed as answer by Tech11-EU Friday, May 18, 2012 8:18 AM
    • Unproposed as answer by Tech11-EU Friday, May 18, 2012 8:21 AM
    Thursday, May 17, 2012 10:22 AM
  • In windows 2003 domain, you can have single password policy and account lockout policy only. There is no reason to enforce or block inheritance DDC policy.

    Tales from the Community: Enforced vs. Block Inheritance

    http://blogs.technet.com/b/grouppolicy/archive/2010/01/07/tales-from-the-community-enforced-vs-block-inheritance.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, May 17, 2012 10:35 AM
    Moderator
  • Thanks both.  So I am hearing no you don't need to and generally it may complicate troubleshooting to enforce.  Blocking inheritance on a child OU only means when there is a conflict from a GPO higher up the top level will not win and as password and lockout policy can only be set at domain level these settings will always apply regardless of whether someone has blocked inheritance lower down.
    Thursday, May 17, 2012 10:46 AM
  • Yes, that's true. Password policy is always applied at domain level and always is itance on an applying regardless of block inheritance on an OU or not.

    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Thursday, May 17, 2012 10:52 AM
  • Your understanding is correct and normally, you don't require enforce or block inheritance GPO settings under ordinary circumstances. Account lockout as well as password policy will be applied regardless of the block inheritance because it is applied on the computers not on the users. Password policy is part of the computer configuration and yes, it has to be applied at the domain level.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Tech11-EU Friday, May 18, 2012 1:51 PM
    • Marked as answer by ITForum2013 Monday, May 21, 2012 1:18 PM
    Thursday, May 17, 2012 11:08 AM
    Moderator
  • It is part of the computer configuration, it gets applied to the Domain Controllers ou.  So as others have also stated the default domain policy (Or a domain policy in general) is the only location where you can apply the password policy.  Policies at the site and OU level that have password policies are applied against the local machines for local users.  You can howeve use the Fine Grained Password Policy (FGPP) if you want to single out a small subset of users with a different policy.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, May 17, 2012 11:54 AM
    Moderator
  • Hi,

    I agree with others.

    I hope the articles below can help understanding this issue:

    Strengthening Domain Policy Settings

    http://technet.microsoft.com/en-us/library/4695b475-f87e-45c5-93c7-49af2f94215f(v=ws.10)#BKMK_Pwd

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

    Regards

    Kevin

     


    TechNet Community Support

    Friday, May 18, 2012 5:17 AM
  • Is my statement true ?  the DDP password and lockout settings get applied to domain controllers and it is here which they take affect and not the computers at the site level.  Not that you would but in theory if you blocked inheritance on the default domain controllers OU would the password and lockout settings still take affect ?
    • Edited by Tech11-EU Friday, May 18, 2012 8:23 AM
    Friday, May 18, 2012 8:21 AM
  • There is common misconception that password is applied on users not on computers. Lets go into flash back where password policy is exactly defined and configured in GPO, it is in computer not on users settings. So, password policy should only be applied at the domain level wrt w2k3.

    Quoted from the below Technet article

    "The only exception to this rule is when another Account policy is defined for an organizational unit (OU). The Account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level Account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU Account policy nor a domain policy applies".

    http://technet.microsoft.com/en-us/library/cc748850%28v=ws.10%29.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-account-lockout-policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-user-accounts.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 8:58 AM
    Moderator
  • OK but the posting previously made mention to the DDP password and lock-out settings applying only to domain controllers and this is where the settings are got so I went on to ask what would happen if inheritance was blocked at the default domain controllers OU would the password policy part still get applied to the domain ?
    Friday, May 18, 2012 9:18 AM
  • Blocked inheritance will not block password and account lockout settings.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 9:29 AM
    Moderator
  • Ok thanks.  And in relation to the password and account lock-out settings we are in agreement that these apply only to the domain controllers ?  assume therefore that in theory these settings could be configured in the default domain controllers policy rather than the default domain policy ?
    Friday, May 18, 2012 9:50 AM
  • Password policy is executed by PDC and it is stored into attributes applied at domain NC's.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 9:56 AM
    Moderator
  • When you define password settings in default domain policy it gets applied to each and every computer objects (client systems/member server/Domain controller).So you can not define this in default domain controller policy.

    http://technet.microsoft.com/en-us/library/cc875814.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 10:01 AM
  • Thanks Prashant.  Do you happen to know at which computer type the default domain password and lockout settings are taking affect for the domain users ?  I assume it is at the domain controller level ?
    • Edited by Tech11-EU Friday, May 18, 2012 10:11 AM
    Friday, May 18, 2012 10:11 AM
  • Thanks Prashant.  Do you happen to know at which computer type the default domain password and lockout settings are taking affect for the domain users ?  I assume it is at the domain controller level ?

    Your statement is confusing.

     Lets make it simple.

     When you define password policy settings at domain level (on Default Domain policy), it gets applied to all the computer in a domain (As stated in my earlier post).

    Your question :

     Do you happen to know at which computer type the default domain password and lockout settings are taking affect for the domain users ?

     Which computer type : Are you talking about Computer OS here? As I said it will apply to each and every comptuer in a domain. There is nothing called computer type

     I assume it is at the domain controller level ?

     There is no Domain controller level in a domain , Different Levels are Site, Domain,OU where you can apply the group policy 

    I hope my statements are making sense here.

    If you are having questions on this please elaborate it so that we can try to answer it in more efficient way,

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 10:22 AM
  • OK.  I realize I was not clear.  The password and lockout settings of the DDP are computer settings and are applied to all computer objects within the domain.  That I am clear on.  I guess what I am trying to establish now is what is the difference between the settings getting applied to the domain controllers and those getting applied to normal computers when it comes to domain user password policy. 

    i.e. when a password of a domain user account expires it is not the GPO settings being applied on the client computer which is forcing the user to change their password but that of the DC correct or is it a combination of both ? or am I adding to the confusion :)

    Friday, May 18, 2012 10:40 AM
  • DC contains the database and it stores all the attributes, so obviously its a DC which process password change.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 11:06 AM
    Moderator
  • OK, To clearify your question,

    It is the AD which is responsible to check Password expiration in a domain.

    For eg : you have set a Gropu policy which has got a password expiration after 60 days , It is your AD which keeps track of this. After 60 Days , User password will get expired and user will be asked to change the password.

     This means Group policy is only used to apply the password settings. If the password gets expired the Domain controller will ask user to change the password to new password. Group policy is nothing to do with Forcing the users to change their password

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 18, 2012 11:10 AM
  • Whose the moderator of this post I suggest the last 4 or so posts including mine are removed as they probably complicate matters for future readers.  I am happy the main part of the original question was addressed earlier on in discussion.

    thanks all.

    Friday, May 18, 2012 11:10 AM
  • The policy is applied against the USER OBJECTS which are held on the DOMAIN CONTROLLERS.  You can't apply the policy on the DC GPO and expect it to work, it won't.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, May 18, 2012 12:51 PM
    Moderator
  • I wasn't planning on linking the DDP to the domain controller OU just getting clarity on how the different parts of the GPO get applied to the end user.

    Thanks all for your input. 

    Friday, May 18, 2012 1:05 PM