Re: New Password Policy Implementation Problem

From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 06/25/04

• Next message: Michael: "Group Policy Error"
• Previous message: AAO: "New Password Policy Implementation Problem"
• In reply to: AAO: "New Password Policy Implementation Problem"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 25 Jun 2004 11:30:28 +1000

Hi

As per:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dsscc_aut_xbby.asp

"Creating a password policy involves setting the following options in the
Default Domain Group Policy object. These policies, with the exception of
those settings related to password lifetime, are enforced on all users in a
domain."

In my experience, these apply to everyone from the DDSP. For example,
examine the defaults on a Windows Server 2003 DC ... all set from DDSP.

Kind regards

-- 
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email 
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"AAO" <ortiza@uthscsa.edu> wrote in message 
news:unYOngjWEHA.1468@TK2MSFTNGP10.phx.gbl...
> Recently we implemented a password policy for our institution; however,
> during our testing we noticed that on our production AD environment we 
> were
> able to implement the following settings via the Default Domain 
> Controllers
> Security Policy (DDCSP):
> Enforce Password History
> Minimum Password Length
> Passwords must meet complexity Requirements
>
> These policies were enforced for all domain users and we verified the
> validity of these settings through client testing.
>
> The 'Maximum Password Age' and the 'Minimum Password Age' would not apply 
> to
> the domain users when set from DDCSP and we needed to enforce this from 
> the
> Default Domain Security Policy (DDSP).  Needless to say, I was very 
> confused
> as to why this worked.  I tried these same settings on 2 different AD test
> environments and they would not enforce at the DDCSP.  My Question is has
> anyone else seen this?  Why did this work on our production environment?
> Based on what I read this should not have worked but it did.
>
> Our Production Setup:
> (3) Windows 2000 Domain Controllers with SP4 and all of the latest hot 
> fixes
> running in Mixed Mode.
>
> Our Test Environment:
> (2) Windows 2000 DC's with SP4 and a couple of hot fixes
>
> Our 2nd Test Environment:
> (1) Windows 2000 DC with Service Pack 2 and several hot fixes
>
> Based on all of the Microsoft Knowledge Base Articles and White papers I
> could find I've learned that Account Policies such as password, Account
> Lockout, and Kerberos Policies can only be enforced for domain users at 
> the
> DDSP.  In addition I learned that only Auditing and User rights can be
> enforced for Domain Controllers at the DDCSP.
>
> AAO
>
>
>
>
> 

• Next message: Michael: "Group Policy Error"
• Previous message: AAO: "New Password Policy Implementation Problem"
• In reply to: AAO: "New Password Policy Implementation Problem"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint