Secuirty Settings in GPO

[sorinn]

What is the difference between linking a GPO with security settings for user accounts customized ( minimum pwd age, enforce pwd history ) to the Domain level, to Domain Controllers, to a particular OU?

[jpatto]

Domain controller would mean any policy would also be applied to the domain controller (i.e. if you had a disclaimer this would also show when accessing the domain controller account) whereas if it was applied to an OU it would only effect those accounts within the OU and not the domain controller.

[sorinn]

I meant Password Policy, which at the OU level affects only local users for the machines in the OU.

What happens when assigning a GPO with a new password policy to DC container? Does this affect only the users who log on on the DC?

[allen2]

Assigning password policy to the DCs should affect all AD users.

[nmX.Memnoch]

Password policies are machine level. If you enforce a password policy on the domain controller(s), it will affect all domain accounts since they reside on the domain controller(s). So regardless of where the domain user physically logs in (workstation or DC) they will be forced to use the password policies set on the domain controller(s).

Although I'm not sure why you would do this, you can enforce a different password policy on workstations than from the domain controllers. These policies would only apply to local workstation accounts though.