|
Home > Archive > microsoft.public.cert.exams.mcse > March 2004 > GPO Processing (Block Inheritance and No Override)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
GPO Processing (Block Inheritance and No Override)
|
|
| Bhargav Shukla 2004-03-27, 11:23 am |
| I would like to know what happens to the password policy defined in Default
Domain Policy when a given OU in AD is set to "Block Policy Inheritance" and
Default Domain Policy is NOT set to "No Override".
It is confusing to know that a password policy applied in Default Domain
Policy applies to entire domain and to have seperate password policies you
must setup another child domain (as you can't override DDP password
policies).
Can someone please share their wisdom and clear many doubts around this?
--
Thanks,
Bhargav Shukla
MCSE Windows 2000, MCSA Messaging, CCEA, RSA SecureID CSE
| |
|
| "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in
news:#z6iPJBFEHA.2640@TK2MSFTNGP09.phx.gbl:
> I would like to know what happens to the password policy defined in
> Default Domain Policy when a given OU in AD is set to "Block Policy
> Inheritance" and Default Domain Policy is NOT set to "No Override".
>
> It is confusing to know that a password policy applied in Default
> Domain Policy applies to entire domain and to have seperate password
> policies you must setup another child domain (as you can't override
> DDP password policies).
>
> Can someone please share their wisdom and clear many doubts around
> this?
>
Password policies are applied the Domain level. Although the branch for
this policy exist in all of the OUs and at the site level, domain
password policies are set at the domain level only. If you set the policy
at the OU level it will only affect the local SAM (computer logon) of
computer accounts in those OUs. The Domain is and will remain (for a
while at least) the security bondary of Windows. Therefore, passwords
that are used for domain authentication will be controlled at the domain
level.
HTH
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
| Bhargav Shukla 2004-03-27, 2:23 pm |
| Thanks Neil.
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94B974137FB46neilmcseh
otmailcom@207.46.248.16...
> "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in
> news:#z6iPJBFEHA.2640@TK2MSFTNGP09.phx.gbl:
>
>
> Password policies are applied the Domain level. Although the branch for
> this policy exist in all of the OUs and at the site level, domain
> password policies are set at the domain level only. If you set the policy
> at the OU level it will only affect the local SAM (computer logon) of
> computer accounts in those OUs. The Domain is and will remain (for a
> while at least) the security bondary of Windows. Therefore, passwords
> that are used for domain authentication will be controlled at the domain
> level.
>
> HTH
>
> --
> Neil
> "you'd do what, to who, for how many biscuits?"
| |
| Roger Abell 2004-03-29, 3:23 am |
| The forest is and will remain for the forseeable future
the only security bondary of Windows.
The domain construct is an administrative boundary.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94B974137FB46neilmcseh
otmailcom@207.46.248.16...
> "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in
> news:#z6iPJBFEHA.2640@TK2MSFTNGP09.phx.gbl:
>
>
> Password policies are applied the Domain level. Although the branch for
> this policy exist in all of the OUs and at the site level, domain
> password policies are set at the domain level only. If you set the policy
> at the OU level it will only affect the local SAM (computer logon) of
> computer accounts in those OUs. The Domain is and will remain (for a
> while at least) the security bondary of Windows. Therefore, passwords
> that are used for domain authentication will be controlled at the domain
> level.
>
> HTH
>
> --
> Neil
> "you'd do what, to who, for how many biscuits?"
| |
| Roger Abell 2004-03-29, 3:23 am |
| In addition to Neil's good comments, it may help you to
think in terms of account databases. There is only one
for the domain. A policy that controls what can be stored
in it (characteristics of passwords for example) can only
affect all domain accounts.
Per your example, it will not be overwritten, not blocked
by a GPO that is not linked to the domain object.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in message
news:%23z6iPJBFEHA.2640@TK2MSFTNGP09.phx.gbl...
> I would like to know what happens to the password policy defined in
Default
> Domain Policy when a given OU in AD is set to "Block Policy Inheritance"
and
> Default Domain Policy is NOT set to "No Override".
>
> It is confusing to know that a password policy applied in Default Domain
> Policy applies to entire domain and to have seperate password policies you
> must setup another child domain (as you can't override DDP password
> policies).
>
> Can someone please share their wisdom and clear many doubts around this?
>
> --
> Thanks,
> Bhargav Shukla
> MCSE Windows 2000, MCSA Messaging, CCEA, RSA SecureID CSE
>
>
| |
|
| "Roger Abell" <mvpNOSpam@asu.edu> wrote in news:uq2hm0VFEHA.3980
@TK2MSFTNGP12.phx.gbl:
> The forest is and will remain for the forseeable future
> the only security bondary of Windows.
> The domain construct is an administrative boundary.
>
slightly different view, and to some degrees I will agree. however, 2k3
cross forest trusts does put a chink in your armour.
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
| Roger Abell 2004-03-29, 10:23 am |
| "Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BB4BC72893neilmcseho
tmailcom@207.46.248.16...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in news:uq2hm0VFEHA.3980
> @TK2MSFTNGP12.phx.gbl:
>
>
>
>
> slightly different view, and to some degrees I will agree. however, 2k3
> cross forest trusts does put a chink in your armour.
>
True Neil, although at least with the x-forest trust you do get
to gate what principals are granted resource to some extent.
--
Roger
| |
|
| "Roger Abell" <mvpNOSpam@asu.edu> wrote in news:uKMIJ0ZFEHA.1064
@TK2MSFTNGP12.phx.gbl:
> True Neil, although at least with the x-forest trust you do get
> to gate what principals are granted resource to some extent.
by default? I know you can, but will people?
(everyone/full control rides again)
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
| Bhargav Shukla 2004-03-29, 5:23 pm |
| Don't we just love everyone/full control from security perspective?
Ding Ding Microsoft.
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BB657ABDD5Bneilmcseh
otmailcom@207.46.248.16...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in news:uKMIJ0ZFEHA.1064
> @TK2MSFTNGP12.phx.gbl:
>
>
> by default? I know you can, but will people?
>
> (everyone/full control rides again)
>
>
>
> --
> Neil
> "you'd do what, to who, for how many biscuits?"
| |
|
| "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in
news:O6i#sJdFEHA.3252@TK2MSFTNGP11.phx.gbl:
> Don't we just love everyone/full control from security perspective?
built by design by MS I'm sure of it. Joe idiot can walk into the local Mom
and Pop CPU shop and setup a Windows 2000 server out of the box and start
sharing the files right away. easy as pie. no security, but really easy to
setup. Bill G is a genius...
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
| Bhargav Shukla 2004-03-29, 5:24 pm |
| And still, in certification it's stressed everywhere, "assuming the
permissions are given on the resources"
Hmmmm.... I wonder how many admins really secure each server and remove
everyone full control from everywhere (atleast most critical areas)?
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BBA5CAA53CFneilmcseh
otmailcom@207.46.248.16...
> "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in
> news:O6i#sJdFEHA.3252@TK2MSFTNGP11.phx.gbl:
>
>
> built by design by MS I'm sure of it. Joe idiot can walk into the local
Mom
> and Pop CPU shop and setup a Windows 2000 server out of the box and start
> sharing the files right away. easy as pie. no security, but really easy to
> setup. Bill G is a genius...
>
> --
> Neil
> "you'd do what, to who, for how many biscuits?"
| |
|
| if they have a clue they do
--
Sue MCNGP #69
"Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in message
news:%23NdaladFEHA.3576@tk2msftngp13.phx.gbl...
> And still, in certification it's stressed everywhere, "assuming the
> permissions are given on the resources"
>
> Hmmmm.... I wonder how many admins really secure each server and remove
> everyone full control from everywhere (atleast most critical areas)?
>
> "Neil" <neilmcse@nospamforyou.com> wrote in message
> news:Xns94BBA5CAA53CFneilmcseh
otmailcom@207.46.248.16...
> Mom
start[color=blue]
to[color=blue]
>
>
| |
|
| "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in news:Jr1ac.3984
$Np3.149647@ursa-nb00s0.nbnet.nb.ca:
> if they have a clue they do
>
what is this clue you speak of? (thank heavens I have a good PIX firewall
<snicker> )
I have walked into so many places that think "but who would hack us". some
people...
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
| Roger Abell 2004-03-30, 2:23 am |
| "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in message
news:O6i%23sJdFEHA.3252@TK2MSFTNGP11.phx.gbl...
> Don't we just love everyone/full control from security perspective?
>
> Ding Ding Microsoft.
>
Hey, they have at least now learned to talk about the
principle of least privilege :-)
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> "Neil" <neilmcse@nospamforyou.com> wrote in message
> news:Xns94BB657ABDD5Bneilmcseh
otmailcom@207.46.248.16...
>
>
| |
| Roger Abell 2004-03-30, 2:23 am |
| "Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BBA5CAA53CFneilmcseh
otmailcom@207.46.248.16...
> "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in
> news:O6i#sJdFEHA.3252@TK2MSFTNGP11.phx.gbl:
>
>
> built by design by MS I'm sure of it. Joe idiot can walk into the local
Mom
> and Pop CPU shop and setup a Windows 2000 server out of the box and start
> sharing the files right away. easy as pie. no security, but really easy to
> setup. Bill G is a genius...
>
In all fairness, XP and W2k3 did change the default
share level permissions.
--
Roger
| |
| Roger Abell 2004-03-30, 2:23 am |
| And that clue, would that be the existence of Authenticate Users ?
which by the way is now almost no different from Everyone if
anonymous logon is left in its (post-W2k) default restrictions
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in message
news:Jr1ac.3984$Np3.149647@ursa-nb00s0.nbnet.nb.ca...
> if they have a clue they do
>
> --
> Sue MCNGP #69
>
> "Bhargav Shukla" <contanoctme_sp@ambhargavs.com> wrote in message
> news:%23NdaladFEHA.3576@tk2msftngp13.phx.gbl...
local[color=blue]
> start
easy[color=blue]
> to
>
>
| |
|
| well you CAN purchace a clue license but it takes an act of parliment... all
the politicians keep the clues but never use them... last I heard they were
in a vault somewhere in an underground facility in West Virginina under
guard... but the guards dont use the clues either so how hard could it be to
break in if you even have half a clue? But once inside, yes, everyone has
permission so you can go in with anonymous access and take as many clues as
you want and there is nothing they can do about it. Once you get home you
can sell the clues cheaper as they are pirated copies and essentially
illegal... but since you got them thru anonymous access, they do not have
your username or password to log your activities... the perfect crime?????
lol ok so I'm warped today
--
Sue MCNGP #69
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OOT344hFEHA.1228@TK2MSFTNGP11.phx.gbl...
> And that clue, would that be the existence of Authenticate Users ?
> which by the way is now almost no different from Everyone if
> anonymous logon is left in its (post-W2k) default restrictions
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in message
> news:Jr1ac.3984$Np3.149647@ursa-nb00s0.nbnet.nb.ca...
remove[color=blue]
perspective?[color=blue]
> local
> easy
>
>
| |
|
| "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in news:Ahdac.4628
$Np3.167902@ursa-nb00s0.nbnet.nb.ca:
> lol ok so I'm warped today
this would be different from other days how?
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
|
| "Roger Abell" <mvpNOSpam@asu.edu> wrote in
news:uXtnJ2hFEHA.684@tk2msftngp13.phx.gbl:
> "Neil" <neilmcse@nospamforyou.com> wrote in message
> news:Xns94BBA5CAA53CFneilmcseh
otmailcom@207.46.248.16...
> Mom
>
> In all fairness, XP and W2k3 did change the default
> share level permissions.
>
but not the NTFS, and if you are doing an in place upgrade, what you had
is what you get...
--
Neil
"you'd do what, to who, for how many biscuits?"
| |
| Bhargav Shukla 2004-03-30, 10:23 am |
| God, we have put this place on fire by starting everyone full control
discussion. LOL.
Which server permissions are you going to secure today?
--
Thanks,
Bhargav Shukla
MCSE Windows 2000, MCSA Messaging, CCEA, RSA SecureID CSE
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BB657ABDD5Bneilmcseh
otmailcom@207.46.248.16...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in news:uKMIJ0ZFEHA.1064
> @TK2MSFTNGP12.phx.gbl:
>
>
> by default? I know you can, but will people?
>
> (everyone/full control rides again)
>
>
>
> --
> Neil
> "you'd do what, to who, for how many biscuits?"
| |
|
| more verbally evident
--
Sue MCNGP #69
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BC4E443A54Eneilmcseh
otmailcom@207.46.248.16...
> "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in news:Ahdac.4628
> $Np3.167902@ursa-nb00s0.nbnet.nb.ca:
>
>
> this would be different from other days how?
>
>
>
> --
> Neil
> "you'd do what, to who, for how many biscuits?"
| |
|
| "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in news:cigac.4732
$Np3.173918@ursa-nb00s0.nbnet.nb.ca:
>
> more verbally evident
isn't that the same as saying "becuase I said so"? I think I will try this
line on my kids tonight (lord knows they will have done something....)
as for being warped, we love you no matter how fast you go...
<star trek theme plays in background>
--
Neil "to boldly go"
"you'd do what, to who, for how many phasers?"
| |
|
| lol I just thought it was a funny train of thought... :P
--
Sue MCNGP #69
"Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BC80AE5BB14neilmcseh
otmailcom@207.46.248.16...
> "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in news:cigac.4732
> $Np3.173918@ursa-nb00s0.nbnet.nb.ca:
>
>
> isn't that the same as saying "becuase I said so"? I think I will try this
> line on my kids tonight (lord knows they will have done something....)
>
> as for being warped, we love you no matter how fast you go...
> <star trek theme plays in background>
>
> --
> Neil "to boldly go"
> "you'd do what, to who, for how many phasers?"
| |
|
| "Brat" < likeIwouldtellyou@inyourdreams
.com> wrote in news:npiac.4948
$Np3.178012@ursa-nb00s0.nbnet.nb.ca:
> lol I just thought it was a funny train of thought... :P
my train of thought was derailed at the station
--
Neil "I'd be an Engineer but I have no train so I'm an MCSE"
"you'd do what, to who, for how many biscuits?"
| |
|
| Brat opined, On 3/30/04 3:58 AM:
> well you CAN purchace a clue license but it takes an act of parliment... all
> the politicians keep the clues but never use them... last I heard they were
> in a vault somewhere in an underground facility in West Virginina under
> guard... but the guards dont use the clues either so how hard could it be to
> break in if you even have half a clue? But once inside, yes, everyone has
> permission so you can go in with anonymous access and take as many clues as
> you want and there is nothing they can do about it. Once you get home you
> can sell the clues cheaper as they are pirated copies and essentially
> illegal... but since you got them thru anonymous access, they do not have
> your username or password to log your activities... the perfect crime?????
> lol ok so I'm warped today
>
We have no way of knowing whether the number of bogons in the
*universe* is increasing - we only know that this number is increasing
locally. One possibility is that the number of bogons (and the number
of cluons) is constant (the "Conservation of Stupidity Hypothesis") and
that an alien race somewhere is advancing in cluefulness, sucking up
all the cluons and sending their surplus bogons in our direction.
--
Malcolm Ray Disk Necromancer and Keeper of the Goat Blood -in ASR
Hmmmm....
JaR
Scientific Thug
| |
| Roger Abell 2004-03-31, 3:23 am |
| "Neil" <neilmcse@nospamforyou.com> wrote in message
news:Xns94BC4E74338A1neilmcseh
otmailcom@207.46.248.16...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in
> news:uXtnJ2hFEHA.684@tk2msftngp13.phx.gbl:
>
>
> but not the NTFS, and if you are doing an in place upgrade, what you had
> is what you get...
>
I am going to sound more of an MS defender here than I intend,
but I think somewhere the manual post-upgrade application of
the secsetup.inf is documented, with appropriate precautions of
how it can break things that are dependent on the heritage config
values (which BTW is why this is left as a manual evaluate and
apply per machine step).
--
Roger
|
|
|
|
|