Re: finally implementing password policy questions??

There is some info about this in the Group Policy Editor's Help (Windows Server 2003 R2 - I think it is also there in Windows Server 2003):

A key factor is, for Domain User Accounts, the Account Policy, which includes the Password Policy, is enforced by the Domain Controllers, not by whatever domain member computer the domain user happens to log on at.

For user accounts that are Local (exist only on the subject computer), the Account Policy in effect for that computer is used. This can be set by a GPO that applies to the corrsponding Computer Account.

1. In gpmc, right click on an Group Policy Object, select Edit
2. click Help, Help Topics
3. expand Security Settings, Concepts, Understanding Security Settings
4. select Account and local policies

Here's an extract:

"For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain policy and is enforced by the domain controllers that make up the domain. A domain controller always obtains the account policy from the Default Domain Policy Group Policy object, even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers joined to a domain (such as member computers) will also receive the same account policy for their local accounts. However, local account policies can be different from the domain account policy, such as when you define an account policy specifically for the local accounts. "


--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:ut1Nm8bgHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
"Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2759C288-81BD-4B86-A277-676DD2AEB007@xxxxxxxxxxxxxxxx
Is this process documented somewhere? Do you know of a link?


Yes, I am sure it is documented somewhere. It is so fundemental that
I have not sought it out since maybe 1998 or 1999. Have you tried the
Windows server reskit? perhaps discussions in the deployment guide?

www.reskit.com



"Roger Abell [MVP]" wrote:

"Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D16DFC0A-FFCE-4816-8B4C-7C36D6B12C7B@xxxxxxxxxxxxxxxx
> Thanks again Roger... Ok I lied and have another question. Is there > anyway
> around having to edit the "default domain policy" to get this to work?
>

One may set this in any GPO linked to the domain, provided that
no higher-priority domain-linked GPO also sets Account policies
with different values (in which case it would be effective).


>
> "Roger Abell [MVP]" wrote:
>
>> Aging and complexity are two separate requirements.
>> That checkbox only exempts from password change being forced.
>> That an existing password does not meet new complexity requirements
>> is never checked. Complexity is enforced when a new password is
>> being defined, and only then.
>>
>> "Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:2AD0998F-9AA4-4A90-900B-8373E7721767@xxxxxxxxxxxxxxxx
>> > Roger.. thanks for the info! Just 1 more follow up. Even though >> > that
>> > check
>> > box setting over-rides the aging will it make future passwords on >> > my
>> > system
>> > account require complexity?
>> >
>> > Brian
>> > "Roger Abell [MVP]" wrote:
>> >
>> >> "Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:33B1FE7D-F15B-42BF-A1B0-3E2421027F93@xxxxxxxxxxxxxxxx
>> >> > Hoping someone can answer a few questions?? We are finally
>> >> > implimenting
>> >> > a
>> >> > complex password policy.
>> >> >
>> >> > My question is what happens right after it is activated?
>> >> >
>> >> > We have 2500 users. Will they all get prompted right away if >> >> > their
>> >> > current
>> >> > password does not meet some or all of the standards i set?
>> >> >
>> >>
>> >> The new complexity requirements are only applied when they
>> >> change their passwords next; the aging settings take effect right
>> >> away based on when their passwords were last changed.
>> >>
>> >> > For my system accounts if I leave the box checked that states
>> >> > "password
>> >> > never expires" will they be protected from the new policy?
>> >> >
>> >> That setting "overrides" password aging settings (much as it
>> >> would seem by its naming).
>> >>
>> >>
>> >>
>>
>>
>>






.

Relevant Pages

  • Re: Account Policies - NT
    ... Security Policy account policy will propagated to domain computers as ... > the local account policies on NT member servers? ...
    (microsoft.public.windows.server.security)
  • Re: Account Policies - NT
    ... I would need to define especific parameters to each local account policy. ... >> 1 - On a Windows NT Domain, if I define domain account policies, will it ...
    (microsoft.public.windows.server.security)
  • Re: Account Policy clarification
    ... > I'm kind of confuse on the settings on the account policy. ... > Win2K workstation on the domain with two local user accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password length
    ... Are you trying to reset the password of a domain user account or a local ... Account policy must be set at the domain level to affect domain accounts. ... local accounts on machines the policy applies to (i.e. machines with ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... Assuming SSL on ADAM is working fine and i want to use antoher domain user account as the ADAM service account. ... Do i only need to grant that account READ permission to machine keys and use dsdbutil to change the ADAM service account? ...
    (microsoft.public.windows.server.active_directory)