Re: finally implementing password policy questions??
- From: Harj <cisqokid@xxxxxxxxx>
- Date: 19 Apr 2007 06:49:27 -0700
On Apr 19, 1:15 am, "Bruce Sanderson" <bsand...@xxxxxxxxxxxxxxxxx>
wrote:
There is some info about this in the Group Policy Editor's Help (Windows
Server 2003 R2 - I think it is also there in Windows Server 2003):
A key factor is, for Domain User Accounts, the Account Policy, which
includes the Password Policy, is enforced by the Domain Controllers, not by
whatever domain member computer the domain user happens to log on at.
For user accounts that are Local (exist only on the subject computer), the
Account Policy in effect for that computer is used. This can be set by a
GPO that applies to the corrsponding Computer Account.
1. In gpmc, right click on an Group Policy Object, select Edit
2. click Help, Help Topics
3. expand Security Settings, Concepts, Understanding Security Settings
4. select Account and local policies
Here's an extract:
"For domain accounts, there can be only one account policy. The account
policy must be defined in the Default Domain policy and is enforced by the
domain controllers that make up the domain. A domain controller always
obtains the account policy from the Default Domain Policy Group Policy
object, even if there is a different account policy applied to the
organizational unit that contains the domain controller. By default,
workstations and servers joined to a domain (such as member computers) will
also receive the same account policy for their local accounts. However,
local account policies can be different from the domain account policy, such
as when you define an account policy specifically for the local accounts. "
--
Bruce Sanderson MVP Printinghttp://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote in messagenews:ut1Nm8bgHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
"Bri" <B...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2759C288-81BD-4B86-A277-676DD2AEB007@xxxxxxxxxxxxxxxx
Is this process documented somewhere? Do you know of a link?
Yes, I am sure it is documented somewhere. It is so fundemental that
I have not sought it out since maybe 1998 or 1999. Have you tried the
Windows server reskit? perhaps discussions in the deployment guide?
www.reskit.com
"Roger Abell [MVP]" wrote:
"Bri" <B...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D16DFC0A-FFCE-4816-8B4C-7C36D6B12C7B@xxxxxxxxxxxxxxxx
Thanks again Roger... Ok I lied and have another question. Is there
anyway
around having to edit the "default domain policy" to get this to work?
One may set this in any GPO linked to the domain, provided that
no higher-priority domain-linked GPO also sets Account policies
with different values (in which case it would be effective).
"Roger Abell [MVP]" wrote:
Aging and complexity are two separate requirements.
That checkbox only exempts from password change being forced.
That an existing password does not meet new complexity requirements
is never checked. Complexity is enforced when a new password is
being defined, and only then.
"Bri" <B...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2AD0998F-9AA4-4A90-900B-8373E7721767@xxxxxxxxxxxxxxxx
Roger.. thanks for the info! Just 1 more follow up. Even though
that
check
box setting over-rides the aging will it make future passwords on
my
system
account require complexity?
Brian
"Roger Abell [MVP]" wrote:
"Bri" <B...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:33B1FE7D-F15B-42BF-A1B0-3E2421027F93@xxxxxxxxxxxxxxxx
Hoping someone can answer a few questions?? We are finally
implimenting
a
complex password policy.
My question is what happens right after it is activated?
We have 2500 users. Will they all get prompted right away if
their
current
password does not meet some or all of the standards i set?
The new complexity requirements are only applied when they
change their passwords next; the aging settings take effect right
away based on when their passwords were last changed.
For my system accounts if I leave the box checked that states
"password
never expires" will they be protected from the new policy?
That setting "overrides" password aging settings (much as it
would seem by its naming).- Hide quoted text -
- Show quoted text -
Hi,
"For domain accounts, there can be only one account policy. The account
policy must be defined in the Default Domain policy and is enforced by the
domain controllers that make up the domain. A domain controller always
obtains the account policy from the Default Domain Policy Group Policy
object, even if there is a different account policy applied to the
organizational unit that contains the domain controller.
This is all old school now as you can utilize password filters to
allow you multiple password policies throughout the domain.
Between smart scripters and third party solutions the document above
really does not apply at least at the part of only "one" policy within
a domain.
Good Luck
Harj Singh
Password Policy done right
www.specopssoft.com
.
- Follow-Ups:
- Re: finally implementing password policy questions??
- From: Roger Abell [MVP]
- Re: finally implementing password policy questions??
- References:
- Re: finally implementing password policy questions??
- From: Roger Abell [MVP]
- Re: finally implementing password policy questions??
- From: Roger Abell [MVP]
- Re: finally implementing password policy questions??
- From: Roger Abell [MVP]
- Re: finally implementing password policy questions??
- From: Bri
- Re: finally implementing password policy questions??
- From: Roger Abell [MVP]
- Re: finally implementing password policy questions??
- From: Bruce Sanderson
- Re: finally implementing password policy questions??
- Prev by Date: Re: IntelliMirror
- Next by Date: Re: Install printer without admin rights with PushPrinterConnections.exe ?
- Previous by thread: Re: finally implementing password policy questions??
- Next by thread: Re: finally implementing password policy questions??
- Index(es):
Relevant Pages
|
Loading
