Re: Disabling Password Policy Locally on Win2k3

thank you for your response.

i'd prefer not to spend $$ on a third party solution. how could one "roll
one's own?" (i usually buy mine in cartons.) VB? scripting?

what about my idea of undefining of the default domain password policy?
would that work, so that then the settings could be defined at OU levels?

a procedure is not a control and i'm concerned in this case about the control.

also, is there's no registry key granting or blocking gpo inheritance?

"Laura E. Hunter [MVP]" wrote:

The domain password policy will apply to all domain accounts - you can
modify the password policy at an OU level, but this will only apply to local
machine accounts (not domain accounts) on the machines contained within that
OU.

If you truly require that a separate password policy be enforced technically
by Active Directory, you will need to create a separate domain. However,
this creates its own issues that are often not worth the trouble. Better to
enforce passwords procedurally with the staff who will be logging onto this
hardened server, or to deploy a separate account provisioning/password
management tool - buy one from Quest and NetPro, or roll your own.

HTH
--
Laura E. Hunter
Microsoft MVP: Windows Server - Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_
(http://tinyurl.com/z7svl)

Responses provided as-is; no warranties expressed or implied
"whistleradmin" <whistleradmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:310615DE-0BBC-4273-94B0-C3CC7F67407D@xxxxxxxxxxxxxxxx

How does one go about disabling the inheritance of a GPO locally on a
Win2k3
server? The Default Domain GPO settings for password policy are, as
normal,
going out to all servers and workstations. However, these settings are
being
inherited on a server that should be further hardened.

Options I have come up with so far are to remove the computer from the
domain, which may be feasible, or undefine the Password Policies in the
the
Default Domain GPO thereby freeing up the policy locally on all the
computers.

Is there a reg key that can be modified in this instance? Or anything else
to exclude this server from inheriting the Default Domain GPO Password
Policy?

Thanks.





.

Relevant Pages

  • Re: Disabling Password Policy Locally on Win2k3
    ... The domain password policy will apply to all domain accounts - you can ... Microsoft MVP: Windows Server - Networking ... Default Domain GPO thereby freeing up the policy locally on all the ...
    (microsoft.public.windows.group_policy)
  • RE: windows 2003 server
    ... How does one dump the passwords from the SAM file. ... Subject: windows 2003 server ... Password policy can be found in Administrative Tools/ ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: [SPAM] - RE: windows 2003 server - Bayesian Filter detected s pam
    ... If the purpose of the exercise is to Audit the Password Policy, ... To gain a copy of the SAM file from the repair disk on a Win2003 Server via ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: windows 2003 server
    ... Subject: windows 2003 server ... should try to dump a copy of the SAM file onto a password-cracker. ... Password policy can be found in Administrative Tools/ ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: Password Expiry
    ... I ran rsop on the xp workstation & password policy was okay - no age limit ... However, when I ran the same on the server, all six entries under 'password ... ALL client computers had to change passwords last week. ...
    (microsoft.public.windows.server.sbs)