Re: Password policy at the OU level

From: SF '03 Native (anonymous_at_discussions.microsoft.com)
Date: 07/16/04 

Date: Fri, 16 Jul 2004 11:26:48 -0700

Thank you very much Robert for your answer.

This is a short term situation <4 months at this time. I
may just force him to bring this laptop to his house tha
VPN in from there to enforce the GPO, and change the
password periodically. Pain in the *** for Peter, but
easier on me.

Checkpoint issues with PPTP go back to the origin, and I
have yet to talk with any Checkpoint engineers who can
make it work. Usually it involves sidestepping the FW
altogether, which in this case is not allowed. I
invested some time in this problem about 18 months ago,
and failed miserably as has everyone I know. Just and
FYI there.
>-----Original Message-----
>Service accounts usually have the account attribute that
>their password never expires set on, which exempts them.
>The challenge is then in remembering to actually not
leave
>the services running with the same password forever. Use
>of a very strong passphrase helps here.
>
>You user Peter is in a pickle, or perhaps it is you that
is.
>I would suggest that either you get their outbound VPN
>ability defined and functioning, or that you let then be
>stand-alone rather than domain. As it is, the machine is
>not receiving GPO from the domain, and is likely totally
>out-of-touch with the domain - so why is it in the
domain?
>The user can still authenticate at the RPC/HTTP
interfaces
>with their domain account even though they do not log
into
>their machine with same. As it is, if you have not yet
>enforced password policies, Peter's machine is not going
>to discover that these are in place, and anyway, domain
>password policy is enforced at the domain controllers.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"SF '03 Native" <anonymous@discussions.microsoft.com>
wrote in message
>news:2e1f901c46a7e$c8bd76e0$a301280a@phx.gbl...
>> OK then. How do I handle service accounts? Exchange
for
>> example... What are the implications of Domain level
>> password policies for service accounts?
>>
>> And one more question if I may.
>>
>> I have a user (Peter) that is behind such a tight
>> firewall (Checkpoint) that he cannot VPN in here PPTP.
>> His only choice is to use RPC over HTTP. How will a
>> password policy forcing him to change it every 90 days
>> work?
>>
>> I want to put to you my theory:
>>
>> Peter's machine is a member of the Domain, but almost
>> never gets connected to the domain. If he is forced to
>> change his password via RPC over HTTP will his local
>> machine also know about the change, or will he be
forced
>> to use 2 different passwords. The old one to log into
>> the machine and the new one to connect his Outlook? Or
>> will the resulting confusion cause a space time rift
and
>> render his machine inoperable?
>>
>> This is my greatest obstacle to inplementing a secure
>> password policy. Please help me answer this question.
>> Thank you.
>>
>> >-----Original Message-----
>> >That's right. Password policy for domain user accounts
>> must be assigned
>> >within a GPO linked to the domain level only. OU-
linked
>> password policy
>> >will only affect local user accounts on workstations
and
>> member servers.
>> >
>> >--
>> >Darren Mar-Elia
>> >MS-MVP-Windows Management
>> >http://www.gpoguy.com
>> >
>> >
>> >
>> >"SF '03 Native" <anonymous@discussions.microsoft.com>
>> wrote in message
>> >news:2cff001c469ec$39472a20$a401280a@phx.gbl...
>> >> When I assign a password policy at the OU level it
has
>> no
>> >> effect whatsoever. Is this not supposed to work?
>> >>
>> >> Is my only option to set it at the Domain level?
>> >>
>> >> I am on Windows 2003 Native Mode with Exchange 2003
>> >> Native mode as well.
>> >
>> >
>> >.
>> >
>
>
>.
>