Block inheritance for Account Policy

gary

Distinguished
Dec 31, 2007
1,052
0
19,280
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

I'm planning to implement account policy at our
organization. As far as I understand account policy gpo to
work it should be linked to domain.
I have couple OUs containing system computer ans user
accounts and I do not want to apply account policy to
theses containers. The question is if I can block
inheritance of account policy for these specific
containers? Are there any special rules when applying
account policy?

I will be very grateful for your help,
Thanks,
Gary
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Account policy for "domain" users can only be configured at the domain level. If
configured at any other level, it will be ignored for domain users but apply to local
user accounts on domain computers in the OU where it is configured. -- Steve

"Gary" <anonymous@discussions.microsoft.com> wrote in message
news:2aa2701c4672e$4a8715e0$a401280a@phx.gbl...
> Hello,
>
> I'm planning to implement account policy at our
> organization. As far as I understand account policy gpo to
> work it should be linked to domain.
> I have couple OUs containing system computer ans user
> accounts and I do not want to apply account policy to
> theses containers. The question is if I can block
> inheritance of account policy for these specific
> containers? Are there any special rules when applying
> account policy?
>
> I will be very grateful for your help,
> Thanks,
> Gary
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Gary

Generally speaking, don't try to block domain wide account policy on special
accounts (service accounts etc) but rather use the options in the properties
of account itself such as "Password never expires". You then manually
change these passwords from time to time (something sensible) to reduce
successful attack likelihood.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:WpeIc.52497$JR4.11876@attbi_s54...
> Account policy for "domain" users can only be configured at the domain
> level. If
> configured at any other level, it will be ignored for domain users but
> apply to local
> user accounts on domain computers in the OU where it is configured. --
> Steve
>
> "Gary" <anonymous@discussions.microsoft.com> wrote in message
> news:2aa2701c4672e$4a8715e0$a401280a@phx.gbl...
>> Hello,
>>
>> I'm planning to implement account policy at our
>> organization. As far as I understand account policy gpo to
>> work it should be linked to domain.
>> I have couple OUs containing system computer ans user
>> accounts and I do not want to apply account policy to
>> theses containers. The question is if I can block
>> inheritance of account policy for these specific
>> containers? Are there any special rules when applying
>> account policy?
>>
>> I will be very grateful for your help,
>> Thanks,
>> Gary
>>
>
>