Re: Password Policy Basics

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Meinolf,

Thanks for your help here...I have a couple of comments regarding your
reply...

Local passwords are stored on the local machine and not on the domain
security database.

I realise this, but assumed the POLICY would be applied to ALL machines in
the domain, so lcoal machines might start enforcing that policy on local
users.
(We have a few machines which do have local users for a specific reason
outside the scope of this post, so I won't mention it here).

Will the LOCAL admin passwords on ALL machines ALSO start requiring complex
passwords. Poor policy, I know, but we've left some machines with a KNOWN
admin password because admin rights are required for some of the software
they run..... again, poor design, but we have to work this way.

See above. But what local service accounts do you have? In a domain
workstation normally no local users are created or also no local services,
you manage all with domain accounts.

Actually, I was thinking of service accounts on the servers... e.g. the
default anonymous access account for IIS etc, AV services etc.
Not sure how many because I haven't really taken a detailed look yet.... was
just guessing what might happen.

Also because nobody knows this accounts you can check "Password never
expires" and are safe from the policy.

OK. That's useful to know.... setting 'Password never expires' on the
account, overrides the policy.
That could be useful ;-)

Thanks again for your help,

Jeff.

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6698a578ca7e586279fe80@xxxxxxxxxxxxxxxxxxxxxxx
Hello Jeff,

see inline

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi people,

I'm looking for some basic help with setting up a domain password
policy.

I have a Win2003 AD forest with single domain and 2DCs. I'd like to
set up a password policy via Group Policy, including...

Require complex passwords.
Minimum Password age
Password history
Maximum password age
I've found loads of documents on MS sites telling we which bits of the
GPO
to tweak, so I know I have to apply at the domain level, and I need to
change the following GPO section:
Computer Config\Windows Settings\Security Settings\Account
Policies\Password Policy
But none of these seem to answer the following questions.......

1) As this policy is applied at the DOMAIN level, I assume it will
apply to ALL machines within the domain, and therefore apply the same
policy to ALL local machine user accounts too. Ideally I want to
change only the DOMAIN login accounts, not all the local accounts too.
Is this possible?

Local passwords are stored on the local machine and not on the domain
security database.

2) Assuming it changes ALL accounts on ALL machines, what happens to
local service accounts etc? Will they tell me to change the password?
or just stop working?

See above. But what local service accounts do you have? In a domain
workstation normally no local users are created or also no local services,
you manage all with domain accounts.

3) I assume it will prompt everybody to change their password
INCLUDING the Domain Admin.... what happens if something goes wrong
and the account gets locked out. Has anyone seen this, or is it pretty
reliable?

Nothing will go wrong, you have just to understand the policy you
configure. The policy will reflect your configuration, so the only thing
that can be different are your thoughts about that what you like to have
and what the setting is really doing. Ofcourse also domain admins will
depend on the domain policy. For this option NEVER use an Administrator
account for service accounts or configuration tasks, create for your
service accounts always new accounts without a profile and only the
minimum rights for that service and a really strong password, that you
have to save on a secure plcae. Also because nobody knows this accounts
you can check "Password never expires" and are safe from the policy.

Can anyone answer these? And any other tips/tricks/gotchas?

Thanks,

Jeff





.

Relevant Pages

  • RE: Group Policy: multiple password policies in the same domain?
    ... Subject: Group Policy: multiple password policies in the same ... service accounts, and our company must be SAS70 type-II certified. ...
    (Focus-Microsoft)
  • Re: Password Policy Basics
    ... set up a password policy via Group Policy, ... change only the DOMAIN login accounts, not all the local accounts too. ... But what local service accounts do you have? ... For this option NEVER use an Administrator account for service accounts or configuration tasks, create for your service accounts always new accounts without a profile and only the minimum rights for that service and a really strong password, that you have to save on a secure plcae. ...
    (microsoft.public.windows.group_policy)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Re: Password Policy Basics
    ... but assumed the POLICY would be applied to ALL ... so lcoal machines might start enforcing that policy on ... No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states. ... I was thinking of service accounts on the servers... ...
    (microsoft.public.windows.group_policy)
  • RE: Group Policy: multiple password policies in the same domain?
    ... there can only be 1 password policy for each account ... affect the local accounts on the servers in scope of that GPO. ... time I'm trying to enforce stronger passwords for service accounts like ... Would applying the policy to a specific set of computers affect only the ...
    (Focus-Microsoft)