Joined: 20 Mar 2008 Posts: 17 Location: Irvine, CA
Post subject: Create a new domain just to apply a GPO... HUH? (294) Posted: Sun May 11, 2008 8:47 pm
Help others: Review your books and training products here
Im taking 294 tomorrow and im studying right now using Transcenders. Several times I have seen questions asking to apply a GPO to a subset of users or computers. Transcenders says that the correct answer is to create a new domain and apply the GPO there.
WTF?
In my life I have never heard of creating a domain for the sole purpose of managing a particular policy. Please help me understand what im missing here.... _________________ '02 = A+, Network+, 210, 215
'02-'07 = Procrastinate
3/1/08 = 218 MCSA2k
3/30/08 = 292 MCSA2k3
4/28/08 = 293
5/12/08 = 294
= 297 MCSE2k3
Joined: 31 Mar 2008 Posts: 134 Location: New Zealand
Post subject: Posted: Sun May 11, 2008 9:12 pm
Help others: Review your books and training products here
Is this in realtion to password policies?: Off the top of my head you can only have one password policy per domain - one of the MS definitions of a domain is that it is a 'security boundary', so if you wanted a different set of expiry rules for particular groups / ous, well tey would have to be ina different domain.
I butt heads with this about once a year with clients that say have factory PCs that they only want to change password say yearly, while office staff 90 days. Then I put on my Nancy Regan hat and 'just say no'
Or better yet if it is a SOX site I can hide behind that.
And yes Saubournes Oxley even streches its arms all the way dwon to New Zealand _________________ MCSA W2K W2K3. MBA( Master of Beer Appreciation )
Joined: 20 Mar 2008 Posts: 17 Location: Irvine, CA
Post subject: Posted: Sun May 11, 2008 9:57 pm
Help others: Review your books and training products here
heres the cliff notes version:
the company's written policy says that admins have to have strong passwords. no other user are required to have strong passwords. you have configured a GPO with the appropriate password policy, you must enforce it without imposing unnecessary restrictions on other users.
Their answer (verbatim):
-place all admin user accounts into a separate domain in the existing forest and link the GPO to that domain
There is no mention of any other password policy. Why then wouldnt you just put all the admin accounts into an OU and apply the password policy to that OU? _________________ '02 = A+, Network+, 210, 215
'02-'07 = Procrastinate
3/1/08 = 218 MCSA2k
3/30/08 = 292 MCSA2k3
4/28/08 = 293
5/12/08 = 294
= 297 MCSE2k3
Joined: 20 Mar 2008 Posts: 17 Location: Irvine, CA
Post subject: Posted: Sun May 11, 2008 10:07 pm
Help others: Review your books and training products here
ive been reading articles online and i guess the short answer is "cuz microsoft said so" eh?
so basically you have the default domain policy.... and anything other than that policy has to go into a different domain. It just doesnt sound right. _________________ '02 = A+, Network+, 210, 215
'02-'07 = Procrastinate
3/1/08 = 218 MCSA2k
3/30/08 = 292 MCSA2k3
4/28/08 = 293
5/12/08 = 294
= 297 MCSE2k3
Joined: 02 Aug 2007 Posts: 525 Location: Australia
Post subject: Posted: Mon May 12, 2008 4:59 am
Help others: Review your books and training products here
The rationale is as follows.
It's not so much that you can't create a password policy anywhere in the domain, it's just that there's a caveat. It's a computer policy, not a user policy. And by that, it refers to the computer that actually stores the password being changed.
So you could apply a different policy to a group of users and you all know nothing happens because computer policies do not apply to users.
You could apply it to an OU full of workstations, but then it would take effect on LOCAL accounts created on those workstations. But a domain user doesn't change his password on the PC, he changes it on the domain controller.
Important note here is that it DOES effect accounts on those local PCs, which is sometimes still useful.
The server with the FSMO role PDC Emulator manages password changes to ensure there are no conflicts, so ultimately whatever policy is applied to this machine is the policy that will take effect.
As stated, Windows 2008 does around this, I haven't looked into how.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Sponsor
Sponsor
Training Picks
CareerAcademy Expert-led On-Demand Certification training courses with 7x24 LIVE Mentoring. Topics cover MCSE 2008 Training, A+ Certification, IT Security CEH Training, Cisco Training and many more.Training Videos We offer streaming or CD certification training videos for Microsoft, CompTIA, Cisco, Citrix, Oracle, CISSP, CET, CWNA, LPI, SCJP, CIW, MOS, PMP and other certifications. View our free videos!EDULEARN Certification Training on CD-ROMs & Videos: Microsoft MCSE Training, A+ Certification, Windows 2003, & Free demos. MCSE certification training includes videos and labs.Online Computer Trainingby K Alliance. Certification training videos for MCTS, MCITP, Oracle OCA/OCP, A+, CCNA, RHCE and more. Our e-learning courses come with 24/7 online mentoring.More Training
= 297 MCSE2k3
