My understanding of settings such as min password length has always been that you set them at the domain level, and that settings made at other levels would either not be applied at all, or would be overriden by the domain level security setting. This allows you to set security at the domain level, where it belongs. But I have recently found what seems to me to be an anomaly.
A co-worker showed me a way to circumvent this process on the DC in his own domain. His domain level GPO does not have any setting for password min length. On the DC, he goes to Run, types MMC, Adds/Remove Snap In, adds Group Policy Object Editor, makes sure that "local computer" is the object selected. After this, the MMC shows the Local Computer Policy.
In the Local Computer Policy, he goes to Computer Configurtation -> Windows Settings -> Security Settings -> Account Policies -> Password Policy, and he sets the min password length to 5 characters.
By setting this in the Local Computer Policy on a DC, the policy is enforced on a user when trying to change the password. The domain-level GPO has no setting.
When I test this on my own DC's, Security Settings (and most of the folders under it) have a lock on the folder, and I cannot set them under Local Computer Policy: I have to set them under the domain-level GPO. This is what I expect: DC's do not have their "own" local security policy.
What is happening on my co-worker's domain/DC's that allows this behavior??? The question arose because one of his students (we teach at a local college) also was able to set these security settings in a DC's local policy in the lab, and it looks wrong to us.
Any ideas on why this is happening, and why my domain is different?
Thanks,
Jason
A co-worker showed me a way to circumvent this process on the DC in his own domain. His domain level GPO does not have any setting for password min length. On the DC, he goes to Run, types MMC, Adds/Remove Snap In, adds Group Policy Object Editor, makes sure that "local computer" is the object selected. After this, the MMC shows the Local Computer Policy.
In the Local Computer Policy, he goes to Computer Configurtation -> Windows Settings -> Security Settings -> Account Policies -> Password Policy, and he sets the min password length to 5 characters.
By setting this in the Local Computer Policy on a DC, the policy is enforced on a user when trying to change the password. The domain-level GPO has no setting.
When I test this on my own DC's, Security Settings (and most of the folders under it) have a lock on the folder, and I cannot set them under Local Computer Policy: I have to set them under the domain-level GPO. This is what I expect: DC's do not have their "own" local security policy.
What is happening on my co-worker's domain/DC's that allows this behavior??? The question arose because one of his students (we teach at a local college) also was able to set these security settings in a DC's local policy in the lab, and it looks wrong to us.
Any ideas on why this is happening, and why my domain is different?
Thanks,
Jason
