WinSecWiki
Windows Security Settings
Articles
WinSecWiki
»
Windows Security Settings
»
Account Policies
»
Account Policies Explained
Account Policies Explained
Account Policies Explained
Policies here-in are your primary controls over authentication to Windows computers, Active Directory and any application such as SQL Server, IIS or Exchange that rely on integrated Windows authentication. When you are working with Account Policies in a Group Policy Object or in Local Security Policy it’s very important to understand the context (i.e. which user accounts are actually affected by the Account Policies). Remember that in the Windows environment you have both local SAM accounts and Active Directory domain accounts.
For any given domain, Active Directory enforces just one set of Account Policies on all user accounts in that domain. Active Directory determines the global Account Policies by examining just the GPOs linked to the root of the domain in Active Directory Users and Computers. Account Policies configured in other GPOs have no effect on domain user accounts.
A common mistake Administrators make is to configure different Account Policies for each Organizational Unit in hopes of enforcing custom requirements for different sets of users within the same domain. However Account Policies configured in GPOs linked to OUs have no effect on user accounts within those OUs.
Account Policies configured at the OU level only impact the local account policy for computers within that OU; a computer’s local account policy only affects that computer’s local SAM accounts (i.e. those created in Computer Management\Local Users and Groups).
To determine the Account Policies for a given domain, either manually inspect each GPO linked to the root of the domain in Active Directory Users and Computers, applying group policy’s rules of precedence, or log on to any domain controller within the desired domain run gpedit.msc. When prompted select the local computer’s policy object. The Account Policies you find here are the policies Active Directory has effect for all domain accounts within that domain, having applied all the GPOs linked to the domain root. Note: don’t confuse “root of domain” with “tree root domain” or “forest root domain”.
New Fine Grained Password Policy in Windows Server 2008 Active Directory
See article
Fine Grained Password Policy
.
Add Your Comments
Name:
*
Email Address:
Web Address:
Verification Code:
*
Details
Article not rated yet.
Article has been viewed 1,835 times.
Options
Bookmark Article
Social Bookmarks
Comments RSS
Upcoming Webinars
Web Protection: The Missing Link in the Endpoint Security Chain?
File Integrity Monitoring with the Windows Security Log
Anatomy of an Attack: What Happened at RSA and What Can We Learn From It?
Implementing Virtual Security Cameras to Protect Privileged Access and Enforce Accountability
Additional Resources
Security Log Quick Reference Chart
Security Log Resource Kit
Learn about the SharePoint Audit Log
Patch Tuesday Analysis
Home
>
Windows
>
WinSecWiki
User name:
Password:
/
Forgot?
Register
Home