Re: Password policy at the OU level

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 07/17/04 

Date: Fri, 16 Jul 2004 19:47:48 -0700

Yes, I have heard many a post related to Checkpoint VPN
client interop with Windows. 

-- 
Roger
"SF '03 Native" <anonymous@discussions.microsoft.com> wrote in message 
news:2e59e01c46b62$74e8fe10$a401280a@phx.gbl...
> Thank you very much Robert for your answer.
>
> This is a short term situation <4 months at this time.  I
> may just force him to bring this laptop to his house tha
> VPN in from there to enforce the GPO, and change the
> password periodically.  Pain in the *** for Peter, but
> easier on me.
>
> Checkpoint issues with PPTP go back to the origin, and I
> have yet to talk with any Checkpoint engineers who can
> make it work. Usually it involves sidestepping the FW
> altogether, which in this case is not allowed.  I
> invested some time in this problem about 18 months ago,
> and failed miserably as has everyone I know.  Just and
> FYI there.
>>-----Original Message-----
>>Service accounts usually have the account attribute that
>>their password never expires set on, which exempts them.
>>The challenge is then in remembering to actually not
> leave
>>the services running with the same password forever.  Use
>>of a very strong passphrase helps here.
>>
>>You user Peter is in a pickle, or perhaps it is you that
> is.
>>I would suggest that either you get their outbound VPN
>>ability defined and functioning, or that you let then be
>>stand-alone rather than domain.  As it is, the machine is
>>not receiving GPO from the domain, and is likely totally
>>out-of-touch with the domain - so why is it in the
> domain?
>>The user can still authenticate at the RPC/HTTP
> interfaces
>>with their domain account even though they do not log
> into
>>their machine with same.  As it is, if you have not yet
>>enforced password policies, Peter's machine is not going
>>to discover that these are in place, and anyway, domain
>>password policy is enforced at the domain controllers.
>>
>>-- 
>>Roger Abell
>>Microsoft MVP (Windows Server System: Security)
>>MCSE (W2k3,W2k,Nt4)  MCDBA
>>"SF '03 Native" <anonymous@discussions.microsoft.com>
> wrote in message
>>news:2e1f901c46a7e$c8bd76e0$a301280a@phx.gbl...
>>> OK then.  How do I handle service accounts?  Exchange
> for
>>> example...  What are the implications of Domain level
>>> password policies for service accounts?
>>>
>>> And one more question if I may.
>>>
>>> I have a user (Peter) that is behind such a tight
>>> firewall (Checkpoint) that he cannot VPN in here PPTP.
>>> His only choice is to use RPC over HTTP.  How will a
>>> password policy forcing him to change it every 90 days
>>> work?
>>>
>>> I want to put to you my theory:
>>>
>>> Peter's machine is a member of the Domain, but almost
>>> never gets connected to the domain.  If he is forced to
>>> change his password via RPC over HTTP will his local
>>> machine also know about the change, or will he be
> forced
>>> to use 2 different passwords.  The old one to log into
>>> the machine and the new one to connect his Outlook?  Or
>>> will the resulting confusion cause a space time rift
> and
>>> render his machine inoperable?
>>>
>>> This is my greatest obstacle to inplementing a secure
>>> password policy.  Please help me answer this question.
>>> Thank you.
>>>
>>> >-----Original Message-----
>>> >That's right. Password policy for domain user accounts
>>> must be assigned
>>> >within a GPO linked to the  domain level only. OU-
> linked
>>> password policy
>>> >will only affect local user accounts on workstations
> and
>>> member servers.
>>> >
>>> >-- 
>>> >Darren Mar-Elia
>>> >MS-MVP-Windows Management
>>> >http://www.gpoguy.com
>>> >
>>> >
>>> >
>>> >"SF '03 Native" <anonymous@discussions.microsoft.com>
>>> wrote in message
>>> >news:2cff001c469ec$39472a20$a401280a@phx.gbl...
>>> >> When I assign a password policy at the OU level it
> has
>>> no
>>> >> effect whatsoever.  Is this not supposed to work?
>>> >>
>>> >> Is my only option to set it at the Domain level?
>>> >>
>>> >> I am on Windows 2003 Native Mode with Exchange 2003
>>> >> Native mode as well.
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
Loading