Domain vs Local Security Policy

[JClark]

If I have a domain policy in effect, is there any way to
allow one of my servers to use their own policy instead of
the Domain policy.

The reason I ask is this. I have a Cisco Call Manager
server that I am trying to upgrade from version 3.3(2) to
3.3(3), but am getting an error that the required password
history setting is not long enough. I am currently not
enforcing password history in the domain, but need to
change it on the local CCM Server in order to complete the
upgrade. I would like to avoid having to enforce the
password history setting for the whole domain in order to
make this one Server compmliant if possible.

Can anyone help me out with this?

Thanks,

Jody

 

[Steven L Umbach]

For domain accounts, password policy can only be configured at the domain
level - no workaround. Local Security Policy settings for account policies
can apply to local machine accounts however. --- Steve

 

[Rich]

This is not true. You can create a separate OU with it's
own password policy and block the policy inheritance from
the parent.

 

[Steven L Umbach]

While block inheritance may work for other Group Policy it will not work for
account policy. Think of domain account policy as having a permanent "no
override" applied to it. If you enable different account polices at the OU
level it will only apply to local users logging onto that machine - not
domain users. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Rich

This is not true. You can create a separate OU with it's
own password policy and block the policy inheritance from
the parent.

No, you're wrong, and Steven is correct. To affect domain accounts, the
_only_ place you can set account policy is at the domain level. Set it
any where else and all you're affecting is accounts in the local SAM of
any computers to which the GPO applies.

 

[Herb Martin]

You guys (Steven and Paul) are correct but I believe the OP
may have been asking a slightly different question so don't take
my response below as being in disagreement with the last few
posts.

A machine CAN AVOID the entire AD policy set through a
registry setting. This is very poorly documented (almost as if
it is hidden) and it will probably take me some time to find again
but it exists -- my web server REFUSES the ISPs settings
because they are weaker than my own.

Now, this probably wouldn't stop the password stuff if logging onto
the domain (that was my thought before the others clearly stated it)
but for logging onto machine specific accounts that remains irrelevant.

If no one else can locate it, I suppose I will have to re-search for that
registry setting....