Justin

Distinguished
Apr 2, 2004
271
0
18,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

I have two probs which need enlightening:

1) I need to set account policies on the domian, ie.
minium passowrd length, password lenght etc. I know this
can be done on the default domain policy but don't want it
to affect the admin acconut. Is there a way to do this
without having the details affect the administrator
account...? could I move the account into a container and
block inheritance permissions..?

2) I've set by GPO on the default domian policy and domain
controller policy to 'do not display last user logon name'
but this isn't working, the last user name is still
displayed, any ideas..?

3) another question...does auditing set on domain polices
overide auditing policies on local machine...?
When auditing (let's say c:\) if you select the groups you
wanna audit, does that mean the users in the group will be
audited depending on the auditing criteria you set..?

sorry for all the questions, obliged if you could help

Justin
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Justin

To answer your questions:

1. Preventing this policy from applying to the Administrator is generally
not recommended. You want your Administrator account to be as secure as
possible and allowing an Administrator to set a weak password compromises
your entire environment. It's best to decide on a good password policy and
have it apply to everyone:

http://www.microsoft.com/technet/security/readiness/content/documents/password_tips_for_administrators.doc

For service accounts that need to stay static, you can use the "Password
Never Expires" option.

2. You should only have to apply this in one place ... the Default Domain
Policy or another GPO linked to the Domain. If it's not applying, my
guesses would be:

a. Not configured correctly.
b. Conflicting settings somewhere.
c. Policy is in general not applying (do other settings work?).
d. Policy disabled.
e. Policy blocked.

3. This article discusses object auditing:

310399 HOW TO: Audit User Access of Files, Folders, and Printers in Windows
XP
http://support.microsoft.com/?id=310399

From the Windows Server 2003 Help:

Precedence of policy when more than one policy is applied to a computer

For security settings which are defined by more than one policy, the
following order of precedence, from highest to lowest, is observed:

Organizational Unit Policy
Domain Policy
Site Policy
Local computer Policy

For example, a workstation that is joined to a domain will have its local
security settings overridden by the domain policy wherever there is a
conflict. Likewise, if the same workstation is a member of an Organizational
Unit, the settings applied from the Organizational Unit's policy will
override both the domain and local settings. If the workstation is a member
of more than one Organizational Unit, then the Organizational Unit that
immediately contains the workstation has the highest order of precedence.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.



"Justin" <anonymous@discussions.microsoft.com> wrote in message
news:1c04301c45209$52fd1ec0$a501280a@phx.gbl...
> Hello,
>
> I have two probs which need enlightening:
>
> 1) I need to set account policies on the domian, ie.
> minium passowrd length, password lenght etc. I know this
> can be done on the default domain policy but don't want it
> to affect the admin acconut. Is there a way to do this
> without having the details affect the administrator
> account...? could I move the account into a container and
> block inheritance permissions..?
>
> 2) I've set by GPO on the default domian policy and domain
> controller policy to 'do not display last user logon name'
> but this isn't working, the last user name is still
> displayed, any ideas..?
>
> 3) another question...does auditing set on domain polices
> overide auditing policies on local machine...?
> When auditing (let's say c:\) if you select the groups you
> wanna audit, does that mean the users in the group will be
> audited depending on the auditing criteria you set..?
>
> sorry for all the questions, obliged if you could help
>
> Justin
>