Re: Password Policy Basics
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Wed, 7 May 2008 11:36:21 +0000 (UTC)
Hello Jeff,
see inline
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf,
Thanks for your help here...I have a couple of comments regarding your
reply...
Local passwords are stored on the local machine and not on the domainI realise this, but assumed the POLICY would be applied to ALL
security database.
machines in
the domain, so lcoal machines might start enforcing that policy on
local
users.
No, the policy will only effect domain accounts.
(We have a few machines which do have local users for a specific
reason
outside the scope of this post, so I won't mention it here).
Will the LOCAL admin passwords on ALL machines ALSO start requiring
complex passwords. Poor policy, I know, but we've left some machines
with a KNOWN admin password because admin rights are required for some
of the software they run..... again, poor design, but we have to work
this way.
No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states.
See above. But what local service accounts do you have? In a domainActually, I was thinking of service accounts on the servers... e.g.
workstation normally no local users are created or also no local
services, you manage all with domain accounts.
the
default anonymous access account for IIS etc, AV services etc.
Not sure how many because I haven't really taken a detailed look
yet.... was
just guessing what might happen.
Also because nobody knows this accounts you can check "Password neverOK. That's useful to know.... setting 'Password never expires' on the
expires" and are safe from the policy.
account, overrides the policy.
That could be useful ;-)
Thanks again for your help,
Jeff.
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6698a578ca7e586279fe80@xxxxxxxxxxxxxxxxxxxxxxx
Hello Jeff,
see inline
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi people,Local passwords are stored on the local machine and not on the domain
I'm looking for some basic help with setting up a domain password
policy.
I have a Win2003 AD forest with single domain and 2DCs. I'd like to
set up a password policy via Group Policy, including...
Require complex passwords.
Minimum Password age
Password history
Maximum password age
I've found loads of documents on MS sites telling we which bits of
the
GPO
to tweak, so I know I have to apply at the domain level, and I need
to
change the following GPO section:
Computer Config\Windows Settings\Security Settings\Account
Policies\Password Policy
But none of these seem to answer the following questions.......
1) As this policy is applied at the DOMAIN level, I assume it will
apply to ALL machines within the domain, and therefore apply the
same policy to ALL local machine user accounts too. Ideally I want
to change only the DOMAIN login accounts, not all the local accounts
too. Is this possible?
security database.
2) Assuming it changes ALL accounts on ALL machines, what happens toSee above. But what local service accounts do you have? In a domain
local service accounts etc? Will they tell me to change the
password? or just stop working?
workstation normally no local users are created or also no local
services, you manage all with domain accounts.
3) I assume it will prompt everybody to change their passwordNothing will go wrong, you have just to understand the policy you
INCLUDING the Domain Admin.... what happens if something goes wrong
and the account gets locked out. Has anyone seen this, or is it
pretty reliable?
configure. The policy will reflect your configuration, so the only
thing that can be different are your thoughts about that what you
like to have and what the setting is really doing. Ofcourse also
domain admins will depend on the domain policy. For this option NEVER
use an Administrator account for service accounts or configuration
tasks, create for your service accounts always new accounts without a
profile and only the minimum rights for that service and a really
strong password, that you have to save on a secure plcae. Also
because nobody knows this accounts you can check "Password never
expires" and are safe from the policy.
Can anyone answer these? And any other tips/tricks/gotchas?
Thanks,
Jeff
.
- References:
- Re: Password Policy Basics
- From: Jeff Whitehead
- Re: Password Policy Basics
- Prev by Date: Re: Password Policy Basics
- Next by Date: Re: Password Policy Basics
- Previous by thread: Re: Password Policy Basics
- Next by thread: Re: Password Policy Basics
- Index(es):
Relevant Pages
|
