Password Policy

[Pat]

in a W2K domain, I have a xp client. If I set my password policy at
the domain gpo and my local gpo, what policy gets picked up if I log
on with a local user at the xp client?

 

[Ken B]

The domain policy applies to the domain user accounts. If you create a
password policy on an OU, the local computer's user accounts will be
affected by the OU policy

Ken

 

[Ken B]

.... as a follow up to what I just posted, if you have a domain, you
shouldn't be using local accounts--that defeats the purpose of the domain.

Ken

 

[Pat]

can you tell me if I log in to the local domain with a local user,
what password policy would apply?

 

[Ken B]

I don't think it's possible to log into a domain with an account that's
'homed' on a local computer. You would need to log into the domain using a
domain user account.

Ken

 

[Pat]

If I create a local user on the local domain on the local pc and logon
to that after logging on with a user from my company domain. what
password policy would apply , the local or the company?

thanks

 

[Steven L Umbach]

Hi Pat.

It depends what is the "effective" policy on the computer which will apply
to local user accounts. You can open Local Security Policy to see what it
reports noting that for Windows 2000 you need to look at the "effective"
settings. I think if you run the "net accounts" command on the computer it
will also display the account settings. --- Steve

 

[Pat]

Steve,
do domain policies override local policies as a rule?
thanks

 

[Steven L Umbach]

Yes they do unless you have moved any domain computers into another
Organizational Unit with a Group Policy defined in that OU for
password/account policy in which case the password/account policy for
computers in that OU could apply to local user accounts on those
omputers. --- Steve

 

[Pat]

Ok so if I,
log on to my company domain with a company domain user, my company
domain password polciy applies.

If I then logoff and logon with a local user on the local domain, does
the company domain password policy still aplly? if so how, is it
cached on the local machine?

 

[Steven L Umbach]

There is no local user on the local domain but I suspect you mean local user
on a domain computer such as the built in administrator account for that
computer. Unless you have specified a different password policy for an
Organizational Unit which that domain computer resides in then the domain
password policy will apply to the local user. If it is in an OU with a
different password policy, then that password policy will apply to the local
user. The policy is not cached, it simply overrides the domain level policy
in that case for the local user logon. Normally Group/security policy is
applied in this order where the LAST defined setting applies if the setting
is defined in multiple policies. Local>site>domain>OU>child OU. --- Steve

 

[Pat]

Steve,
is the password policy tied to the computer or the user?

 

[Steven L Umbach]

Password policy is part of security policy which is computer
onfiguration. --- Steve

 

[Pat]

steve thanks for all the help

Password policy is part of security policy which is computer
onfiguration. --- Steve