Re: Password Policy Basics
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Wed, 7 May 2008 10:52:47 +0000 (UTC)
Hello Jeff,
see inline
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi people,
I'm looking for some basic help with setting up a domain password
policy.
I have a Win2003 AD forest with single domain and 2DCs. I'd like to
set up a password policy via Group Policy, including...
Require complex passwords.
Minimum Password age
Password history
Maximum password age
I've found loads of documents on MS sites telling we which bits of the
GPO
to tweak, so I know I have to apply at the domain level, and I need to
change the following GPO section:
Computer Config\Windows Settings\Security Settings\Account
Policies\Password Policy
But none of these seem to answer the following questions.......
1) As this policy is applied at the DOMAIN level, I assume it will
apply to ALL machines within the domain, and therefore apply the same
policy to ALL local machine user accounts too. Ideally I want to
change only the DOMAIN login accounts, not all the local accounts too.
Is this possible?
Local passwords are stored on the local machine and not on the domain security database.
2) Assuming it changes ALL accounts on ALL machines, what happens to
local service accounts etc? Will they tell me to change the password?
or just stop working?
See above. But what local service accounts do you have? In a domain workstation normally no local users are created or also no local services, you manage all with domain accounts.
3) I assume it will prompt everybody to change their password
INCLUDING the Domain Admin.... what happens if something goes wrong
and the account gets locked out. Has anyone seen this, or is it pretty
reliable?
Nothing will go wrong, you have just to understand the policy you configure. The policy will reflect your configuration, so the only thing that can be different are your thoughts about that what you like to have and what the setting is really doing. Ofcourse also domain admins will depend on the domain policy. For this option NEVER use an Administrator account for service accounts or configuration tasks, create for your service accounts always new accounts without a profile and only the minimum rights for that service and a really strong password, that you have to save on a secure plcae. Also because nobody knows this accounts you can check "Password never expires" and are safe from the policy.
Can anyone answer these? And any other tips/tricks/gotchas?
Thanks,
Jeff
.
- Follow-Ups:
- Re: Password Policy Basics
- From: Jeff Whitehead
- Re: Password Policy Basics
- References:
- Password Policy Basics
- From: Jeff Whitehead
- Password Policy Basics
- Prev by Date: Password Policy Basics
- Next by Date: Re: Password Policy Basics
- Previous by thread: Password Policy Basics
- Next by thread: Re: Password Policy Basics
- Index(es):
Relevant Pages
|
