I am still learning windows domain networking, and I currently have a quesiton regarding a particualar doamin setup. If I have a root domain (for example, domain.com)and I create a child in that same domain (for example, child.domain.com). Is it possible to create the account policy GPO's of the child domain differnet from the parent? I know that when you enable account GPO's that they are enforced at the domain level; however, I am unsure if this applies in a parent/child domain setup. My goal with regards to this is to create the parent domain that enforces users to change their passwords every 60 days (and use the password complexity requriments). However, I do not want to enforce this on the child domain. Is this possible using the parent/child domain setup? Or do I need to create two toatally seprate domains witin the in separate subents and create a trust between them? In the second option, is it possible to do this without a physical router in between? Can WIndows perform the task of allowing data flow between two differenet domains on different subnets just by enabling a trusts between the domains? I am open to other suggestions if there are any.

At domain level, a child domain is a different domain then the parrent domain so you can make different account policy's ill guess. When you make two domains on one subnet like i did you can login to one another you can chose what domain you wanna login to, if you have different subnets you need a router. Regards Lars mcp mcsa\: Messaging mcse -2003

Each domain is a separate security entity with its own policies that are distinct. You actually cannot take a GPO from one domain and apply it to another. You actually have to create two identical GPO's, one for each domain to even have identical security settings to be applied in both domains. Subnets are only relevant to IP routing and Active Directory "Sites". You can have multiple sites in a domain, or multiple domains in a site. A solution to your question is this: The domain level GPO's in each domain simply have to have different password policies. Be aware the default domain policy has a password expiration of 90 days. If you want passwords to not expire, it's best to create a new GPO with higher precedence and set this value to 0 with no other settings defined. This procedure should also be followed for a value other than 90 days. Trusts are relevant only in accepting authenticated credentials from other domains. Please help survivors of Hurricane Katrina. www.redcross.org