A policy to override the default domain policy?

[Grant]

Our default domain policy locks an account out after 5 incorrect attempts. I
have a web server with local usernames that frequently get locked out (I
dont know why users cant just copy and paste the passwords I send them...)

is it possible to create another domain policy that only applies to a single
machine - and which overrides the default domain policy? (If so, how would I
acheive that?)

Thanks,
Grant

 

[Nick Finco [MSFT]]

Nope, you would need to remove the machine from the domain and use local
accounts. All domain accounts will use the domain password policy
uniformly.

N

 

[Andrew Mitchell]

Nope, you would need to remove the machine from the domain and use local
accounts. All domain accounts will use the domain password policy
uniformly.

If he's talking about IIS, wouldn't it be possible to login using machine
\username instead of the domain username?

 

[Nick Finco [MSFT]]

Yes, if he has an overriding GPO set at the OU level for the server that
blocks the password policy he has set for his domain. This would only work
for local accounts though and might also override other domain level
settings he desires.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm

 

[Grant]

Ah ok so I can create an OU and place that machine in there with its own
policy that overrides the global policy. Can I copy the global policy to the
new OU and simply change the settings I dont want? That way I keep all the
original settings and change the ones I dont need.

Yes, if he has an overriding GPO set at the OU level for the server that
blocks the password policy he has set for his domain. This would only
work for local accounts though and might also override other domain level
settings he desires.

N

--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[Nick Finco [MSFT]]

If you're copying GPOs, you should look into using GPMC. I think it works
against Win2k domains from XP workstations or 2k3 servers.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm

Ah ok so I can create an OU and place that machine in there with its own
policy that overrides the global policy. Can I copy the global policy to
the new OU and simply change the settings I dont want? That way I keep all
the original settings and change the ones I dont need.

Yes, if he has an overriding GPO set at the OU level for the server that
blocks the password policy he has set for his domain. This would only
work for local accounts though and might also override other domain level
settings he desires.

N

--
This posting is provided "AS IS" with no warranties, and confers no
rights. Any opinions or policies stated within are my own and do not
necessarily constitute those of my employer. Use of included script
samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Nick Finco [MSFT]" <[email protected]> said

Nope, you would need to remove the machine from the domain and use
local
accounts. All domain accounts will use the domain password policy
uniformly.


If he's talking about IIS, wouldn't it be possible to login using
machine
\username instead of the domain username?