I've read a few articles about FGP and shadow groups vs Default Domain Password Policy. We have a Windows 2008 R2 Forest and windows 7 clients.
I think I know and understand how FGP and DDPP work, but still looking for some confirmation, because not all the articles and links I've read state the same.
I want to implement FGP, but have to explain to my manager what the difference is between FGP and the Default Domain Password Policy, and how they work. The main problem is that we don't want Domain admins and service accounts getting password policy's applied.
Questions:
1) We use Domain admin and service account on DC's and member servers. If I don't want to apply the Default Domain password policy on those accounts, enabling "block inheritance" on the member servers and Domain Controller OU will solved this problem. Correct???
2) Does the Default domain password policy also applies to the local accounts on the member servers and windows 7 clients? Some application like SQL I think, create some local accounts during installation. Are those accounts also getting the Default Domain password policy???
3) The only way to disable the Default Domain password policy for a useraccount, is to use the "password never expire" option in the user properties?
4) If I link the Domain password policy to only the "Domain Controller OU" this would then only apply to all users in Active Directory, and not the computer objects. Correct???? In that case I can use "block inheritance" on some users OU's like service accounts OU. Correct???
5) I've read in a forum that Blocked inheritance will not block password and account lockout settings. Is this correct???
Thanx