Re: Password Policy & GPO Settings

From: Javier Inglés [MS MVP] (jjingles2000_at_NOSPAMhotmail.com)
Date: 07/21/04 

Date: Wed, 21 Jul 2004 23:56:53 +0200

No, a password policy is for DOMAN, not for DomainControllers; you must specify your password policy in the domain security settings, not domain controller security settings ;-))

I have some domains in this mode and function very well :-)) 

-- 
Salu2!!!
Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx
e-m@il:jingles@NOSPAMmvps.org
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>
Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho
"ptwilliams" <ptw2001@hotmail.com> escribió en el mensaje news:OCeEDu2bEHA.3144@TK2MSFTNGP09.phx.gbl...
> I can't see how this is the case?!?  As password policy is applied to Domain
> Controllers not domain members.  Therefore filtering doesn't come into it.
> The password policy applies to the DCs as they perform the authentication.
> The policy is nothing to do with users or computers, only how a DC handles
> aspects of authentication.
> 
> -- 
> 
> Paul Williams
> _________________________________________
>  http://www.msresource.net
> 
> 
> Join us in our new forums!
>   http://forums.msresource.net
> _________________________________________
> 
> 
> "Javier Inglés [MS MVP]" <jjingles2000@NOSPAMhotmail.com> wrote in message
> news:OeySEo2bEHA.368@TK2MSFTNGP10.phx.gbl...
> Hi, another possibility is use the security tab and deny the access to one
> GPO, with this, some groups can have one domain password policy and other
> groups can have another policy :-)
> 
> -- 
> Salu2!!!
> 
> Javier Inglés, MS-MVP
> http://mvp.support.microsoft.com/default.aspx
> 
> e-m@il:jingles@NOSPAMmvps.org
> <<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>
> 
> Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no
> otorga ningún derecho
> 
> 
> "Paul Bergson" <pbergson@mnpower.com> escribió en el mensaje
> news:eDGAYxzbEHA.2880@TK2MSFTNGP12.phx.gbl...
> > Domain Account settings are all that apply for users.  If you set policies
> > up for users at an OU level it will be ignored.  Local is a different
> story
> > but it only effects user authenticating to there local machine and has no
> > effect on the domain.
> >
> > If you want to implement multiple password policies you can pick up a
> third
> > party product.  We use Password Policy Enforcer but there are many
> different
> > ones available.  Just search on password policy with your web search
> engine.
> >
> > -- 
> >
> > Paul Bergson  MCT, MCSE, MCSA, CNE, CNA, CCA
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> >
> > "Veets" <dddetrretsssadasy@hotnospmamail.com> wrote in message
> > news:uGTIiqzbEHA.1644@tk2msftngp13.phx.gbl...
> > > Hello,
> > > We're running a Windows 2000 domain & I have a few questions about the
> > > domain password policy settings.
> > > I'm familiar with the GPO inheritance order -> Local -> Site -> Domain
> > > GPO -> OU
> > > I've read however, that you can only have 1 password policy setup for
> your
> > > domain which is defined at the default GPO (I read it in the following
> > > article ->
> > >
> >
> http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/enforce_strong_passwords.mspx)
> > >
> > > As far as I understand it, what this means is that even if you define a
> > new
> > > password policy on an OU, it will not work since the OU will 'pick up'
> the
> > > default GPO password settings? Is this correct? Also, will the default
> GPO
> > > settings override the 'Account Lockout Policy' & 'Event Log'  options of
> > the
> > > new OU as well?
> > > If I'm right, does this mean that I'll need to create a new domain to
> get
> > > around this problem?
> > > I hope my questions are clear enough.
> > > Any input is greatly appreciated. TIA
> > > Best regards,
> > > Veets
> > >
> > >
> > >
> >
> >
> 
>

Relevant Pages

  • Re: Password policy
    ... you password expires" on client desktops connected to a AD domain. ... occured if an end-user logged into a Windows 2003 Exchange OWA server. ... Domain Controller Security Settings" and "Default Domain Security Settings" ... > the password policy, and link it to domain controllers. ...
    (microsoft.public.win2000.security)
  • Re: Password Policy & GPO Settings
    ... Thanks for replying Paul but I'm not exactly sure what you mean in your ... > Domain Account settings are all that apply for users. ... Just search on password policy with your web search ...
    (microsoft.public.win2000.active_directory)
  • Re: applying group policy
    ... The settings are not applying. ... > Are you trying to implement password policy with this GPO? ... What i have tried is on the domain controler set up an ... >> organisational unit and added the names of the user and computer that i ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot Add Users
    ... Password policy is configured on the domain level by default in the default domain policy. ... Here you have to check the settings, any other OU will not work. ... disable domain security settings and DC security settings I cannot add ...
    (microsoft.public.windows.server.security)
  • Re: Cannot Add Users
    ... Password policy is configured on the domain level by default in the ... Here you have to check the settings, ... disable domain security settings and DC security settings I cannot add ... dave Admin ...
    (microsoft.public.windows.server.security)