Re: Password policy at the OU level
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/16/04
- Next message: Roger Abell: "Re: Where to Begin"
- Previous message: Ed D.: "App Data Redirect"
- In reply to: SF '03 Native: "Re: Password policy at the OU level"
- Next in thread: SF '03 Native: "Re: Password policy at the OU level"
- Reply: SF '03 Native: "Re: Password policy at the OU level"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 15 Jul 2004 18:12:13 -0700
Service accounts usually have the account attribute that
their password never expires set on, which exempts them.
The challenge is then in remembering to actually not leave
the services running with the same password forever. Use
of a very strong passphrase helps here.
You user Peter is in a pickle, or perhaps it is you that is.
I would suggest that either you get their outbound VPN
ability defined and functioning, or that you let then be
stand-alone rather than domain. As it is, the machine is
not receiving GPO from the domain, and is likely totally
out-of-touch with the domain - so why is it in the domain?
The user can still authenticate at the RPC/HTTP interfaces
with their domain account even though they do not log into
their machine with same. As it is, if you have not yet
enforced password policies, Peter's machine is not going
to discover that these are in place, and anyway, domain
password policy is enforced at the domain controllers.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "SF '03 Native" <anonymous@discussions.microsoft.com> wrote in message news:2e1f901c46a7e$c8bd76e0$a301280a@phx.gbl... > OK then. How do I handle service accounts? Exchange for > example... What are the implications of Domain level > password policies for service accounts? > > And one more question if I may. > > I have a user (Peter) that is behind such a tight > firewall (Checkpoint) that he cannot VPN in here PPTP. > His only choice is to use RPC over HTTP. How will a > password policy forcing him to change it every 90 days > work? > > I want to put to you my theory: > > Peter's machine is a member of the Domain, but almost > never gets connected to the domain. If he is forced to > change his password via RPC over HTTP will his local > machine also know about the change, or will he be forced > to use 2 different passwords. The old one to log into > the machine and the new one to connect his Outlook? Or > will the resulting confusion cause a space time rift and > render his machine inoperable? > > This is my greatest obstacle to inplementing a secure > password policy. Please help me answer this question. > Thank you. > > >-----Original Message----- > >That's right. Password policy for domain user accounts > must be assigned > >within a GPO linked to the domain level only. OU-linked > password policy > >will only affect local user accounts on workstations and > member servers. > > > >-- > >Darren Mar-Elia > >MS-MVP-Windows Management > >http://www.gpoguy.com > > > > > > > >"SF '03 Native" <anonymous@discussions.microsoft.com> > wrote in message > >news:2cff001c469ec$39472a20$a401280a@phx.gbl... > >> When I assign a password policy at the OU level it has > no > >> effect whatsoever. Is this not supposed to work? > >> > >> Is my only option to set it at the Domain level? > >> > >> I am on Windows 2003 Native Mode with Exchange 2003 > >> Native mode as well. > > > > > >. > >
- Next message: Roger Abell: "Re: Where to Begin"
- Previous message: Ed D.: "App Data Redirect"
- In reply to: SF '03 Native: "Re: Password policy at the OU level"
- Next in thread: SF '03 Native: "Re: Password policy at the OU level"
- Reply: SF '03 Native: "Re: Password policy at the OU level"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
