FGPP Vs Domain Policy

Similar Messages

• How do I move the policy from Default domain policy to a custom policy.

  I want to implement a new password policy.  In the past we had a fairly loose policy, now I want to implement minimum length and complexity.  I know how to set this up in Computer Config Policies windows settings security settings and account policies
  password policy. However after I set it up I notice that it is not being applied.  I have run gpupdate, and even waited several days but still it's not taking effect.  I have created what im calling a custom gpo calling it "password policy". 
  It is situated under domains/mydomain.com .  There are a number of other policies here.
  When I run gpresult /h c:\temp\gpreport.html  its all a bit confusing. It looks like it being applied but then further down it says under Group policies Applied GPOs Denied GPOs Pssword Policy mydomain.com empty. ??
  But let me ask this first off .
  The previous administrator I think has the password policy set up in the "default domain policy"
  Is it possible that the default domain policy which IS indeed set differently is overriding my custom "password policy"
  If this is so how can I make it so  my custom password policy is applied over the default domain policy.
  Or what other answers could it be.

  Hi,
  Based on your requirement you can create Fine Grained Password Policies.
  This feature introduced in Windows Server 2008 allows you to override password policy set at the Default Domain Policy for specific users or groups.
  Checkout the below link for creating Fine Grained Password Policies from GUI in Windows Server 2012,
  http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
  Regards,
  Gopi
  JiJi
  Technologies

• Load XML file from addon domain without cross-domain Policy file

  Hello.
  Assuming that there are two addon domains on the same server: /public_html/domain1.com       and      /public_html/domain2.com
  I try to load XML file from domain2.com into domain1.com without using cross-domain policy file (since it doesn’t work on xml files in my case).
  So the idea is to use php file in order to load XML and read it back to flash.
  I’ve found an interesting scripts that seems to do the job but unfortunately I can't get it to work. In my opinion there is somewhere problem with AS3 part. Please take a look.
  Here are the AS3/PHP scripts:
  AS3 (.swf in www.domain1.com):
  // location of the xml that you would like to load, full http address
  var xmlLoc:String = "http://www.domain2.com/MyFile.xml";
  // location of the php xml grabber file, in relation to the .swf
  var phpLoc:String = "loadXML.php";
  var xml:XML;
  var loader:URLLoader = new URLLoader();
  var request:URLRequest = new URLRequest(phpLoc+"?location="+escape(xmlLoc) );
  loader.addEventListener(Event.COMPLETE, onXMLLoaded);
  loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHandler);
  loader.load(request);
  function onIOErrorHandler(e:IOErrorEvent):void {
      trace("There was an error with the xml file "+e);
  function onXMLLoaded(e:Event):void {
      trace("the rss feed has been loaded");
      xml = new XML(loader.data);
      // set to string, since it is passed back from php as an object
      xml = XML(xml.toString());
      xml_txt.text = xml;
  PHP (loadXML.php in www.domain1.com):
  <?php
  header("Content-type: text/xml");
  $location = "";
  if(isset($_GET["location"])) {
      $location = $_GET["location"];
      $location = urldecode($location);
  $xml_string = getData($location);
  // pass the url encoded vars back to Flash
  echo $xml_string;
  //cURLs a URL and returns it
  function getData($query) {
      // create curl resource
      $ch = curl_init();
      // cURL url
      curl_setopt($ch, CURLOPT_URL, $query);
      //Set some necessary params for using CURL
      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
     //Execute the curl function, and decode the returned JSON data
      $result = curl_exec($ch);
      return $result;
      // close curl resource to free up system resources
      curl_close($ch);
  ?>

  I think you might be right about permissions/settings on the server for php. Unfortunately I'm not allowed to adjust them.
  So I wrote my own script - this time I used file path instead of http address of the XML file.  It works fine in my case.
  Here it is:
  XML file on domain2.com:
  <?xml version="1.0" encoding="UTF-8"?>
  <gallery>
      <image imagePath="galleries/gallery_1/images/1.jpg" thumbPath="galleries/gallery_1/thumbs/1.jpg" file_name= "1"> </image>
      <image imagePath="galleries/gallery_1/images/2.jpg" thumbPath="galleries/gallery_1/thumbs/2.jpg" file_name= "2"> </image>
      <image imagePath="galleries/gallery_1/images/3.jpg" thumbPath="galleries/gallery_1/thumbs/3.jpg" file_name= "3"> </image>
  </gallery>
  swf  on domain1.com:
  var imagesXML:XML;
  var variables:URLVariables = new URLVariables();
  var varURL:URLRequest = new URLRequest("MyPHPfile.php");
  varURL.method = URLRequestMethod.POST;
  varURL.data = variables;
  var MyLoader:URLLoader = new URLLoader;
  MyLoader.dataFormat =URLLoaderDataFormat.VARIABLES;
  MyLoader.addEventListener(Event.COMPLETE, XMLDone);
  MyLoader.load(varURL);
  function XMLDone(event:Event):void {
      var imported_XML:Object = event.target.data.imported_XML;
      imagesXML = new XML(imported_XML);
     MyTextfield_1.text = imagesXML;
     MyTextfield_2.text = imagesXML.image[0].attribute("thumbPath");  // sample reference to attribute "thumbPath" of the first element
  php file on domain1.com:
  <?php
  $xml_file = simplexml_load_file('../../domain2.com/galleries/gallery_1/MyXMLfile.xml');  // directory to XML file on the same server
  $imported_XML = $xml_file->asXML();
  print "imported_XML=" . $imported_XML;
  ?>
  Regards
  PS: for those who read the above discussion: the first and the second script work but you must test which one is better in your situation. The first script will also work between two domains on different servers. No cross domain policy file needed.

• Windows 8 and Default Domain Policy modification issue

  Hi,
  I'm unable to edit the default domain policy from my new Windows 8 desktop.  It's the only Win8 in the environment so I'm not able to easily test another one unfortunately.  The error I receive is:
  Group Policy Error
  Failed to open the Group Policy Object.  You might not have the appropriate rights.
  Details: The volume for a file has been externally altered so that the opened file is no longer valid.
  I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account.  The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick
  out as having anything to do with AD management).
  It only occurs if I click edit on the GPO.  I'm able to successfully view the policy and edit the permissions etc.  Have rebooted and the machine is current with patches as of now.
  thanks
  Andy
  Cheers Andy

  Hi,
  According to your description, the issue only occurred when you click to edit the GPO. And only occurred on Windows 8. I would like suggest you to follow below suggestions to narrow down the issue:
  1. Check out whether the issue only occurred to Default domain policy object.
  2. Test on another new installed Windows 8 client with only RSAT installed.
  3. Create another new account and add it to domain admin group to test again.
  4. Run dcdiag on DCs to check out whether the replications work fine.
  Hope this helps.
  Regards,
  Yan Li
  If you have any feedback on our support, please click
  here
  Cataleya Li
  TechNet Community Support

• Gpupdate wont update because of Default Domain Policy

  Hi Technet Community
  I have just tried to do a gpupdate /force in the Command Prompt, but it has thrown an error up at me. Screenshot below :
  I have gone into Group Policy Management and tracked the UID (which is displayed above starting with 31B2F340...) to be the same as the Default Domain Policy. Usually, I would do whatever I need to with Group Policy to get it working again, but I don't know
  how to change this policy about, or whether I can delete the current one and recreate it?
  Could anyone let me know what I can do to resolve this.
  A restart does not resolve this issue, and if I leave the domain and re-join it, it still doesn't resolve it.
  I'll try installing SP1 and see if it works, but no other Windows 7, 8 or 8.1 client computers seem to work either, with exactly the same error.
  All users can still log in.
  Thanks
  Ed

  Hi Technet Community
  I have just tried to do a gpupdate /force in the Command Prompt, but it has thrown an error up at me. Screenshot below :
  I have gone into Group Policy Management and tracked the UID (which is displayed above starting with 31B2F340...) to be the same as the Default Domain Policy. Usually, I would do whatever I need to with Group Policy to get it working again, but I don't know
  how to change this policy about, or whether I can delete the current one and recreate it?
  Could anyone let me know what I can do to resolve this.
  A restart does not resolve this issue, and if I leave the domain and re-join it, it still doesn't resolve it.
  I'll try installing SP1 and see if it works, but no other Windows 7, 8 or 8.1 client computers seem to work either, with exactly the same error.
  All users can still log in.
  Thanks
  Ed

• Default domain policy got corrupted and can't reverse to old system state?

  Initially we had two servers which was 2003 and 2008, after adding additional two more servers (server 2012) in the network and then demoted the old servers. and that was quite while ago. after carefully looking a the default policy I have noticed that there
  so many policies was applied on default policy object which led me to disable them and created a backup for both domain controller and the domain policy.
  now the problem is stupidly run
  dcgpofix  thought it will restore the domain policy to it's original state but it did not instead it came up with an empty default policy template and inside there is no security policy which i can edit. However i did tried to restore the old policy which
  i backed up but i get an access denied error.
  Now i realise that the original default policy was from server 2003 and the current schema domain functional level is 2012.  Currently
  I can not login to any newly added computers to the domain via domain administrator account.
  Please help! Is there any way to create a new default domain policy?

  Hi thanks for your input,
  but that doesn't resolves my issue. However I have managed to fix it by modifying the Default policy systemflags and then run the command gpfixup.exe /ignoreschema /target :domain.com.
  and after that I was able to restore my old gp from earlier backup. 

• Broken Default Domain Policy! GPOFIX Doesn't work

  Justin1250 wrote:
  So I noticed that command prompt is open in the users directory.
  Did you right click on the command window and run as administrator?
  It should run from the system directory as an admin.Yes I did. I just made sure again to run it as admin. Same result.

  I've spent hours and hours trying to fix this but can't. I seem to have located the problem where the default domain policy has lost is child associated with the GUID in AD/Registry. None of the tools seem to work, and I can't delete and recreate it because it thinks it doesn't exist and because Microsoft has engineered it to not be removable. This would be fine if it wasn't corrupted. I've read on some forums that the in-ability to delete a policy object is due to permissions issues. However, that isn't the issue in my case.I've tried THISwhich didn't work.I recently did a test migration to 2012 from 2003, and was hoping when I migrated the data that the GPO wouldn't transfer it's corrupted data, but I was wrong :-/The pictures below should illustrate more detail than I could describe.GPOFIX ToolActive Directory showing that the GUID...
  This topic first appeared in the Spiceworks Community

• Discrepancy in Default Domain Policy

  Hello, 
  About 6 months ago we migrated from DC's running Windows 2003 R2 to Windows 2012 R2. At that time we raised our domain functional level to "Windows Server 2008 R2"
  I am trying to audit my Group Policy and have found a problem I am unable to explain. I have installed RSAT tools on my local workstation, and I have been using it to view group policy to perform my audit. Everything was going fine until I came across:
  "Default Domain Policy"
  Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
  However when I attempted to edit the policy to look at the settings, nothing is there, the certificate is just missing.
  Furthermore, when I look in the Group Policy Management on the DC, It does not even show "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\TrustedRoot Certification Authorities"
  Can anyone explain to me the following:
  1. Why does my local workstations RSAT tools show settings that are not reflected on the DC?
  2. Why is my RSAT tools showing settings on a certificate the does not exist? Is it because there used to be a cert there when we were using 2k3 domain controllers, and the cert wasn't migrated?
  3. How can I fix this so that my RSAT Group Policy Manager on my Workstations is synched with my Domain Controllers?
  Thank You in advance for any assistance. 
  P.S. I had several pictures setup that made the explanation of all this much easier, but I was not allowed to add them because "Body text cannot contain images or links until we are able to verify your account."  

  I have made some interesting discoveries that I think may help future individuals, if they find this posting. 
  When looking at the picture in my original posting you see that the group policy points to:
  "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted
  Root Certification Authorities"
  So you would expect that you would navigate to the same path in the GPME (Group Policy Management Editor)
  but it turns out, that is not the case, to edit these settings you must navigate to the following:
  "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies" and
  double-click on "Certificate Path Validation Settings"
  I discovered this information using this technet article:
  http://technet.microsoft.com/en-us/library/cc754841.aspx
  Under "Managing Trusted Root Certificates for a Domain"
  However this does not resolve my original issue, in that it does not explain the discrepancy between RSAT tools and the DC. 
  Well I have a friend who has almost an identical setup to mine at his company (he is using Server 2012 R1), he checked, and he saw the exact same scenario as I have. 
  I am unsure if this is by design or a bug in GPO. I would assume that if it was a bug that others would have discovered it by now and written about it, can anyone provide any insight?

• Cross domain policy issues

  I am attempting to communicate with a web service via flash
  across sub domains. All works fine and dandy on my local machine,
  but when i upload to my web server there is no communication across
  the domains. The way the servers are configured, i don't have
  access to the root of the domain to place the crossdomain.xml in
  the default location, so i have it in the folder next to the web
  service and link to it directly shown below. I have this line on
  the first frame of the first layer of my file
  quote:
  System.security.loadPolicyFile("MYDOMAIN/StudentConnect2Apply/crossdomain.xml");
  The server containing the flash file is insecure and the web
  service is secure (https). this is what my crossdomain.xml file
  looks like:
  quote:
  <cross-domain-policy>
  <allow-access-from domain="*.MYDOMAIN.net"
  secure="false"/>
  </cross-domain-policy>
  I have also enabled logging within my flash player to track
  down problems, when i initially load the page in the browser, it
  approves the policy file:
  quote:
  OK: Policy file accepted:
  https://MYDOMAIN/StudentConnect2Apply/crossdomain.xml
  But after submitting the form and attempting to interact with
  the web service, i get an error saying permission is denied due to
  lack of policy file permissions and
  quote:
  Warning: Failed to load policy file from
  MYDOMAIN/crossdomain.xml
  It is looking in the root of the domain after i defined and
  it accepted the overridden location. Is there another way to define
  where the crossdomain.xml file is located that i am missing,
  possibly in the web service settings somewhere?

  I have found my answer, thanks to another forum.
  Meta-Cross Domain Policies.
  http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_03.html
  Basically I can now say "f*ck you adobe. I as a college
  student who likes to host things on my 150 MB of server space can
  no longer host XML formatted levels for games I write. Because I am
  not the administrator of the server and will never be able to
  convince the administrator to let me have the MCDP file allow my
  flash file to load it's levels."
  F*ck you Adobe, F*ck You.

• Cross domain policy file and BitmapData

  Hey guys and gals, I'm having an issue with a Security error
  when trying to access photos from an external site. I have a client
  who is at siteA.com, who wants to load in photos from siteB.com,
  siteC.com, and probably 100 other sites. He has permission to do so
  from the other sites, but doesn't want to go through all the
  trouble of asking each site to post a cross-domain policy file.
  Please correct me if I'm wrong, but the way I understand it is, if
  you want to simply load an image into a Loader object within a swf,
  you're ok, but if you want to access the BitmapData, you will then
  get a security error? My snippet of code that I believe is causing
  the security error is
  public function imageLoaded(e:Event):void {
  var image:Bitmap = Bitmap(e.target.loader.content);
  image.smoothing = true;
  imageContainer.addChild(e.target.loader);
  As you can tell, the reason why I want to access the Bitmap
  itself is to apply smoothing. That is my main concern, I want to be
  able to apply smooth transitions to these pictures that are loaded
  in from external sites. My main goal is to load images externally,
  then apply smooth transitions, so if you know of a way to get
  around the security violations, that would be great. The only
  work-around we have for this is to write a script that will load
  all the images from the external sites onto the local server, as
  this will be less work than getting the cross-domain policy file on
  each server (if that's what it takes). Thanks in advance for
  anybody who can shed some light on the subject.

  If I understand you correctly, a 'helper' swf would be on the
  site where the images are held, much like a cross-domain policy
  file? I don't understand how that would be much different than
  getting the external sites to add a cross-domain policy file on
  their server. It sounds easier to just throw the cross-domain
  policy file on the external site's server with '*' for the path of
  allowed directories to load images from. I'm pretty new to the
  cross-domain security issue, so I'm not sure. I don't understand
  why it's a security risk to access the pixels of an image either...
  anybody know about that? Just trying to figure out where to go from
  here on this project. Thanks for the reply GWD, still looking for
  some more feedback.

• Default Domain Policy Not Applying Settings to Servers or Clients

  I have 2008 R2 DC's with a functioning level of 2003.  Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
  I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
  The change was to enable DES because of a specific need that I have with an application that I work with but enabling DES and leaving the other options such AES unselected caused other applications to not work right.  I decided to revert the changes
  back to "Not Defined" but those changes did not reflect on the servers even after running the gpupdate /force command.
  In order to keep the application working that broke, we enabled all of the encryption levels such as DES, AES, etc. on the server that's running the application via it's Local Security Policy as a temporary fix.
  Now, I want to make sure all servers receive the settings from the Default Domain Policy and have their Local Security Policies reflect the "Not Defined" setting but it's not applying.  It seems like they worked when I first applied them but
  when I try to remove them it does not work.
  If I change the setting directly on the Local Security Policy on the server or clients it shows "No minimum" instead of "Not Defined" which I've heard can be fixed by identifying the registry entry for that setting and deleting it...so
  help with the location and how to identify that key would also be helpful.
  My goal is not to manually have to change servers and clients to revert back to their default settings...I want the Domain policy to apply and override the servers and client's Local Security Policy.
  Any help with this would be greatly appreciated and thank you in advance.

  I have 2008 R2 DC's with a functioning level of 2003.  Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
  I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
  refer:
  http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
  We needed to implement a similar scenario a few years ago (when we introduced Windows7 into our estate).
  We had an SAP/NetWeaver implementation which always worked on WinXP, but failed on Win7.
  We had to enable the DES ciphers, since those were disabled by default in Win7. We discovered that we also needed to enable all the other ciphers (those which are enabled by default[not configured]).
  i.e., when we changed the setting from "Not Configured", enabled DES, and left the RC4/AES stuff untouched by us, the RC4/AES stuff attracted a status of disabled.
  So, we had to set the DES ciphers to Enabled, and, also set the RC4/AES ciphers to Enabled - this gave us the "resultant" enablement of the default stuff and the needed change/addition of DES.
  When you set a GP setting "back to Not Configured", depending upon the setting *AND* the individual Windows feature itself - one of two things will happen:
  a) the feature will "revert" to default behaviour
  b) the feature will retain the current configured behaviour but becomes un-managed
  In classic Group Policy terms, condition (b) above is often referred to as "tattooing", i.e., the last GP setting remains in effect even though GPMC/RSOP/etc does not reveal that to be the case.
  (This is also a really good example of not doing this sort of stuff in the DDP. It could have borked your whole domain :)
  What I'd suggest, is that you re-enable your ciphers for KRB settings again - this time, enable all the ciphers that would normally be "default", let that replicate around, and allow time for domain members to action it.
  Then, set the setting back to Not Configured. This way, the "last" settings issued by GP will be those you want to remain as the "legacy".
  Note: the GP settings reference s/sheet, has this to say:
  Network security: Configure encryption types allowed for Kerberos
  This policy setting allows you to set the encryption types that Kerberos is allowed to use.
  If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
  This policy is supported on at least Windows 7 or Windows Server 2008 R2.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Error 2170 in Cross Domain Policy deployed in Enterprise Portal

  Hi All,
  We are facing an Error # 2170 for the Cross Domain Policy in Enterprise Portal.
  We developed the dashboard using 2 web service connections (using ECC Remote Enabled Functon Module). The Web services were made Public so that they can be accessed from any network. We developed the dashboard using the public enabled webservices and exported to the SWF file which is working fine.
  But when we place the dashboard SWF file in the Enterprise portal it gives the error " Cross Domain Policy Error #2170" .
  We Placed the Cross domain Policy file in ECC Server in the root directory and placed the same in Enterprise portal C drive.
  But still it shows the same error when we preview the dashboard in Enterprise Portal.
  The Cross Domain Policy File that we are using is as follows:
  -<cross-domain-policy> <site-control permitted-cross-domain-policies="all"/>
              <allow-access-from secure="false" to-ports="" domain=""/>
             <allow-http-request-headers-from secure="false" domain="" headers=""/>
             <allow-https-request-headers-from secure="false" domain="" headers=""/>
  </cross-domain-policy>
  Please let us know if the cross doamin file is correctly coded and suggest us with suitable solutions for this problem. Also let us know if there is some alternative solution to this issue.
  Thanks,
  Malla Reddy D

  Hello Malla,
  Maybe SAP Note 1240810 helps... Anyway, I would say that if your issue is with the direct SAP NW BI connection, through BICS, the only file which is relevant is bicsremotecrossdomain.xml, which should be located on your server HTTP root.
  Another check you can perform is if you have both portal certificate entries as per SAP Note 1508663.
  Kind Regards,
  Marcio

• How to avoid applying Default domain policy?

  Hello! Hope to get some ideas on the following:
  I have one PC that I DO NOT want to apply default domain policy to. I have created a separate OU in AD with one security group, that contains only that one PC.
  I made sure that pc is a member of only that group and not domain computers or any other groups.
  I have created a separate GPO for this PC and linked in to the domain.
  I am seeing in the gpresult /r  that both the new  GPO is applied to the workstation and the default domain gp as well.
  Default domain policy is designed to be applied to all authenticated users.
  I have create a separate user for that workstation that is not a member  of authenticated users.It is only a member of domain users.
  Ultimately I want default domain policy to be filtered out and the gpo specific to this pc to be applied.
  Any ideas?

  > Default domain policy is designed to be applied to all authenticated users.
  >
  > I have create a separate user for that workstation that is not a member
  > of authenticated users.It is only a member of domain users.
  You cannot exclude any computer or user from being an authenticated user...
  > Ultimately I want default domain policy to be filtered out and the gpo
  > specific to this pc to be applied.
  Then simply block inheritance on the OU this computer lives in, and link
  the specific GPO to that OU.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Windows 2003 Password Policy Ignored in Default Domain Policy

  Hi there I've a problem on my DC.
  i set in the "default domain policy" the settings form the policy password lenght complexity etc etc..
  When i RUN Group policy modelling simulation i cannot view the settings of Windows Settings\Security Settings\account policy\password policy
  the scope of the GPO is Authenticated
  the GPO seems to be ignored for the security settings but not for the other parameters like kerberos security.
  Any Idea to solve this issue?

  Hi Federico,
  >>i cannot view the settings of Windows Settings\Security Settings\account policy\password policy
  What do this mean? Does this mean that we can’t see the password policy in the modeling, or that we can’t see the change we made to the password policy? Besides, were there
  error messages displayed in the modeling?
  In addition, we can try running the Group Policy Modeling Wizard again to see if the issue persist.
  Best regards,
  Frank Shen

• Block Inheritance and Default Domain Policy

     Hello to all, I will run a cross-forest migration and target forest has a Default Domain Policy. Target domain is Windows 2003 Functional Level, but has almost all DCs on Windows 2008. As first level OUs represents country codes (USA, GBR, FRA,
  etc) and a new country will be created I want to block GPOs from Domain level. The task itself is very easy, just configure "Block Inheritance" on the new country OU. Important: Default Domain Policy is >> not set << to "Enforce"
  on target domain.
     Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
  certificates, etc) ?
     Regards, EEOC.

     Question: the security configurations (account, password, local policies) from Default Domain Policy will be blocked? If yes, how domain users below this new country OU will have basic configurations for them (password complexity, password length,
  certificates, etc) ?
  The Domain security policy for passwords etc, is domain-wide, and cannot be blocked.
  It applies to, and is controlled by, the Domain Controllers.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)