Re: finally implementing password policy questions??

Thanks for knowing where that was Bruce.

Roger
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:9021B725-9116-48C7-BDEB-DD59C8CF2766@xxxxxxxxxxxxxxxx
There is some info about this in the Group Policy Editor's Help (Windows
Server 2003 R2 - I think it is also there in Windows Server 2003):

A key factor is, for Domain User Accounts, the Account Policy, which
includes the Password Policy, is enforced by the Domain Controllers, not
by whatever domain member computer the domain user happens to log on at.

For user accounts that are Local (exist only on the subject computer), the
Account Policy in effect for that computer is used. This can be set by a
GPO that applies to the corrsponding Computer Account.

1. In gpmc, right click on an Group Policy Object, select Edit
2. click Help, Help Topics
3. expand Security Settings, Concepts, Understanding Security Settings
4. select Account and local policies

Here's an extract:

"For domain accounts, there can be only one account policy. The account
policy must be defined in the Default Domain policy and is enforced by the
domain controllers that make up the domain. A domain controller always
obtains the account policy from the Default Domain Policy Group Policy
object, even if there is a different account policy applied to the
organizational unit that contains the domain controller. By default,
workstations and servers joined to a domain (such as member computers)
will also receive the same account policy for their local accounts.
However, local account policies can be different from the domain account
policy, such as when you define an account policy specifically for the
local accounts. "


--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:ut1Nm8bgHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
"Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2759C288-81BD-4B86-A277-676DD2AEB007@xxxxxxxxxxxxxxxx
Is this process documented somewhere? Do you know of a link?


Yes, I am sure it is documented somewhere. It is so fundemental that
I have not sought it out since maybe 1998 or 1999. Have you tried the
Windows server reskit? perhaps discussions in the deployment guide?

www.reskit.com



"Roger Abell [MVP]" wrote:

"Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D16DFC0A-FFCE-4816-8B4C-7C36D6B12C7B@xxxxxxxxxxxxxxxx
Thanks again Roger... Ok I lied and have another question. Is there
anyway
around having to edit the "default domain policy" to get this to
work?


One may set this in any GPO linked to the domain, provided that
no higher-priority domain-linked GPO also sets Account policies
with different values (in which case it would be effective).



"Roger Abell [MVP]" wrote:

Aging and complexity are two separate requirements.
That checkbox only exempts from password change being forced.
That an existing password does not meet new complexity requirements
is never checked. Complexity is enforced when a new password is
being defined, and only then.

"Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2AD0998F-9AA4-4A90-900B-8373E7721767@xxxxxxxxxxxxxxxx
Roger.. thanks for the info! Just 1 more follow up. Even though
that
check
box setting over-rides the aging will it make future passwords on
my
system
account require complexity?

Brian
"Roger Abell [MVP]" wrote:

"Bri" <Bri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:33B1FE7D-F15B-42BF-A1B0-3E2421027F93@xxxxxxxxxxxxxxxx
Hoping someone can answer a few questions?? We are finally
implimenting
a
complex password policy.

My question is what happens right after it is activated?

We have 2500 users. Will they all get prompted right away if
their
current
password does not meet some or all of the standards i set?


The new complexity requirements are only applied when they
change their passwords next; the aging settings take effect right
away based on when their passwords were last changed.

For my system accounts if I leave the box checked that states
"password
never expires" will they be protected from the new policy?

That setting "overrides" password aging settings (much as it
would seem by its naming).














.

Relevant Pages

  • RE: Account Lockout Policy
    ... he didn't say that the policy would be *linked* at ... the Domain Controllers OU, just that the domain password policy would apply ... the Domain Controllers OU will still use the password policy that is defined ... they still utilize the domain-level account settings, because, again, the ...
    (Focus-Microsoft)
  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
    (microsoft.public.windows.server.sbs)
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO causing client security logs to fill?
    ... Unlink the Default Domain Controller Policy (As it was not previously ... settings to be applied on your client workstations. ... I modified the account ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)
  • RE: DCPromo Error
    ... This problem can occur if the account that is used for the ... Or, if this right has been assigned, the policy has not propagated yet, ... Domain Controllers Policy on the Domain Controllers Organizational Unit. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Quantcast