Re: GPO configuration

Within the native operating system there can be only one password/account
policy for "domain" users and this is defined only at the domain level. The
domain controllers apply password policy and they read the policy from the
winning domain level policy that has password policy defined which in a
fresh install would be Domain Security Policy. However any domain linked GPO
could apply the password policy and the GPO at the top of the list has
highest priority. When configuring a password/account policy make sure that
you do not change defined settings to "undefined" to reverse or disable
them. A good example is password complexity. If you want to disable it for
some reason change the domain level policy to disabled and not undefined as
undefined will not disable it.

There are ways to use custom passfilt.dll to have different password
policies for different users/computers in a domain. Writing and installing a
passfilt.dll correctly is not a trivial matter and takes a good programmer
and there are third party applications that can do such. In my opinion it
makes sense to have a strong password/account policy for all domain users
and to train users how to conform to it. Training users to use pass phrases
instead of passwords can help immensely. Instead of remembering T65r)*xn as
a password they could use a favorite phrase such as A spoonful of sugar!
which is a long complex password. Train them to leave the spaces in the
passphrase. For sensitive accounts consider using smart cards and
configuring the user account to require a smart card for logon.

In Windows 2000/2003 domains are NOT security boundaries - forests are. You
can create external or possibly forest trusts [in Windows 2003] to allow
resources to users from a different forest. Remember that admins in the root
forest domain are all powerful in a forest. --- Steve


"Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:79A7C1D9-7FD0-44A2-86C2-3E86D264F2DB@xxxxxxxxxxxxxxxx
> Hi,
> I am confused on the issue of Domains and security boundries. Can I have
> different password policies in the same domain? Couldn't I have one policy
> that has a 6 character password requirement and link it to a GPO for the
> general user, and then have a 12 character password requirement for admin
> group linked through a GPO? Also what happens when you have a GPO like
> this
> with password requirements linked to a site that crosses domains? Does it
> just not process or execute properly?
> Thanks - Wayner


.

Relevant Pages

  • Re: Login Scripts
    ... Default Domain Policy) that contains the "baseline" settings that users ... at the OU level will override settings declared at the domain level, and GPO ... > domain if no MSI package is found. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Account Lockout Threshold change - Not taking effect
    ... The other policy is linked at the domain level. ... I even changed the settings to 5 attempt. ... Have you tried unlinking the additional GPO you've created at the Domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Restrictions
    ... That's where I linked the policy. ... I created a policy at the domain level ... > Domain Policy" GPO. ... My server is a Win2K and the workstation is a WinXP. ...
    (microsoft.public.win2000.active_directory)
  • Re: ADMT: Roaming Profiles
    ... dass MS das Verhalten zur Verarbeitung von User Group ... in der sich der Computer befindet nicht mehr abgearbeitet! ... Using Group Policy features across forests ... The Windows Server 2003 family introduces a new feature called Forest Trust ...
    (microsoft.public.de.german.windows.server.general)
  • Re: Group Policy Not Applying to an OU
    ... "Eric Anderson" skrev i meddelandet ... The policy that applies is the domain level policy and ... >> Computer Configuration part of the GPO it will not be applied. ... >>> If I placed the GPO at the domain level, it applied, but it does not ...
    (microsoft.public.windows.group_policy)
Loading