RE: GPO for PW policy
- From: v-dashen@xxxxxxxxxxxxxxxxxxxx (David Shen [MSFT])
- Date: Thu, 28 Feb 2008 12:14:12 GMT
Dear Customer,
Thanks for posting here.
According to the post, I understand the issue is: You set Default Domain
Policy to enable the password complexity and set another GPO to make
password set to at least six characters and disabled password complexity.
If I misunderstood it, please feel free to let me know.
Analysis:
===========
A Windows Server 2003 domain must have a single password policy, account
lockout policy, and Kerberos version 5 authentication protocol policy for
the domain. For domain accounts, there should be only one account policy
per domain. The password policy must be defined in the Default Domain
Policy or in a new policy that is linked to the root of the domain and
given precedence over the Default Domain Policy, which is enforced by the
domain controllers that make up the domain. A domain controller always
pulls the password policy from a Group Policy object (GPO)linked to the
domain, which by default is the Default Domain Policy GPO. This behavior
occurs even if there is a different account policy applied to the
organizational unit (OU) that contains the domain controller. In other
words, there cannot be 2 or more sets of password policy within a Windows
Server 2003 (or previous) domain.
For more information, please refer to:
Account Policy Settings
http://technet2.microsoft.com/windowsserver/en/library/353f7ad9-b53d-41d0-98
67-199f6595a01b1033.mspx?mfr=true
Suggestions:
============
It is a best practice to avoid modifying or deleting the Default Domain
Policy. Because the Default Domain Policy will apply on the domain level.
It's better to create a new GPO that is linked to Domain level, and then
you may adjust the password policy with the new GPO. To enable the password
policy on the new GPO that linked to Domain level, please refer to:
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
directory/activedirectory/stepbystep/strngpw.mspx#EMD
More Information:
===============
1. Although in Windows Server 2003 and previous domains we cannot use 2 or
more sets of password policy, it is now possible in Windows Server 2008
domains.
In Windows Server 2008, you can use a new feature called "Fine-Grained
Password Policy" to specify multiple password policies and apply different
password restrictions and account lockout policies to different sets of
users within a single domain. For example, to increase the security of the
privileged accounts, you can apply stricter settings to them and less
strict settings to the accounts of other users. Or in some cases, you might
want to apply a special password policy for accounts whose passwords are
synchronized with other data sources.
For more information regarding Fine-Grained Password Policy in Windows
Server 2008, please refer to:
AD DS Fine-Grained Password Policies
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d
7-acc1-4f0bade6cd751033.mspx?mfr=true
Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy
Configuration
http://technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-431
5-87cc-ade35f8978ea1033.mspx?mfr=true
2. By the way, you also mentioned that you had tried removing the Default
Domain Policy. If so, I suggest that you do not delete the default GPOs. If
necessary, you may perform a full backup first and then use "Dcgpofix" to
restore the default domain GPOs to their original default states.
For more information regarding Dcgpofix, please refer to:
Default Group Policy objects become corrupted: disaster recovery
http://technet2.microsoft.com/windowsserver/en/library/b9db0ae7-3d25-4e5e-93
20-e5db0b0c9f8a1033.mspx?mfr=true
Hope it helps. Thanks.
David Shen
Microsoft Online Partner Support
.
- References:
- GPO for PW policy
- From: AMMN
- GPO for PW policy
- Prev by Date: Re: WMI filter on a OU
- Next by Date: folder redirdction for remote users
- Previous by thread: Re: GPO for PW policy
- Next by thread: samples
- Index(es):
Relevant Pages
|
