Friday, April 6, 2012

Simply put:

Items further down the tree (closer to the computers and users) will get over written by items at the domain level. (top of tree)
OULevel-GPO wins out over subOULevel-GPO.
Ex. If subOULevel-GPO set the password length to 6 characters and OULevel-GPO sets it to 8 characters, the result will be 8 Characters.

Unless!! You set ENFORCE on subOULevel-GPO. (in 2003 it is no-override, same diff). However, this only applies to items that are SPECIFICALLY SET at the subOULevel-GPO level. So if you set 6 characters at teh subOULevel-GPO and you set 8 Characters and 45 day limit on passwords a the OULevel-GPO level, then you get....wait for it....6 characters and a 45 day limit. TA DA!!!

I'm sure there are more combinations and permutations of this, so ask a question and I'll make a milkshake while you figure it out. :-) Nah, Nah, Nah, I'll figure it out for you.

No comments:

Post a Comment