Re: Domain password policy problems
- From: "Harj" <cisqokid@xxxxxxxxx>
- Date: 6 Nov 2006 11:40:48 -0800
Hi,
You can create your own password filters mentioned in the article below
or use third party tools are out there that will allow you multiple
password policies within a single domain.
Password Filters
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp
Good luck
Harj Singh
Password Policy done right
www.specopssoft.com
Roger Abell [MVP] wrote:
"Paul M." <PaulM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2A12E0B-D0D0-4848-9FE1-8DF6D12EF581@xxxxxxxxxxxxxxxx
Thanks Roger.
Apologies for delayed reply, had a public holiday yesterday.
If a GPO linked at the domain level applies to all accounts and Gpos
linked
to OUs applies to local accounts, does this mean that I can only have one
domain password policy?
Yes
I have only one domain which includes not only 'normal' users but domain
accounts that are used on multiple machines with autologon. Ignoring the
security aspect, how can I set a different policy for these accounts if
blocking heritage doesn't make a difference?
You cannot, unless you develop or purchase from a third-party
extensions that allow this.
Regards,
Paul.
"Roger Abell [MVP]" wrote:
There is nothing special about the default GPOs, either of them,
except that there is a utility for each that may be used to reset
them to their as-shipped defaults.
I notice you mention blocking inheritance, as if it is relevant to
this discussion of password policies.
Just to review and make sure we are on the same page, password
(and other account policies) only have impact on domain accounts
when carried in a GPO linked to the domain, and the set of these
policies (as merged in normal ways when multiple GPOs are
linked to the same object, based on their application order) will
be applied to all domain accounts without exception.
Account (and so password) policies applied to OUs, or inherited
onto computer objects from the domain linked GPOs, have impact
on the machine local accounts defined on those computers.
"Paul M." <PaulM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C6C08CE9-6255-47B4-BED8-ABA92F05CAFA@xxxxxxxxxxxxxxxx
Hi Jack,
The GPO that we had in place was in fact a copy of the Default Domain
Policy
which we then modified to our requirements.
I don't want to enable the password policy options in this GPO as we
have
linked it to other OUs that have blocked inheritance (so the password
GPO
isn't applied).
Am I right in thinking that there is nothing 'special' about the
Default
Domain Policy and that using a copy of it is as good as using the
original?
Regards,
Paul.
"Jack Doyle" wrote:
Try these same settings in the actual "Default Domain Policy" and see
if that makes a difference.
Jack Doyle, Systems Engineer
ScriptLogic Corporation
www.scriptlogic.com
.
- References:
- Re: Domain password policy problems
- From: Paul M.
- Re: Domain password policy problems
- From: Roger Abell [MVP]
- Re: Domain password policy problems
- Prev by Date: Re: Add a user automatically to a group..
- Next by Date: Re: Reporting
- Previous by thread: Re: Domain password policy problems
- Next by thread: RE: Set path for TS Roaming Profiles not always applied
- Index(es):
Relevant Pages
|
