Re: Password Policy Basics

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thanks Meinolf and Florian....

Appreciate your help... it seems I need to brush up on GP! I've not used
this a great deal and am still learning.

Thanks again,

Jeff.


"Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:Or%23lJVDsIHA.5000@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!

Jeff Whitehead schrieb:
1) As this policy is applied at the DOMAIN level, I assume it will apply
to ALL machines within the domain, and therefore apply the same policy to
ALL local machine user accounts too. Ideally I want to change only the
DOMAIN login accounts, not all the local accounts too. Is this possible?

As long as you link the Password Policy GPO to the Domain level or change
the Default Domain Policy, it only applies to domain accounts.

You could, of course, change the local machine accounts too, just link the
password Policy GPO to a OU with machine objects in it - but I understand
that's not what you want.

2) Assuming it changes ALL accounts on ALL machines, what happens to
local service accounts etc? Will they tell me to change the password? or
just stop working?

Since you hopefully ticked "Password never expires" they won't change in
any matter.

3) I assume it will prompt everybody to change their password INCLUDING
the Domain Admin.... what happens if something goes wrong and the account
gets locked out. Has anyone seen this, or is it pretty reliable?

It'll not prompt people unless you specified a max password value smaller
than a user's last password reset. For example: Joe changed his password
last 12 days ago. Sally did her last password change 67 days ago. You put
the Password Policy into place which states "change passwords every 45
days" - Joe changed it accordingly within the last 45 days but Sally
didn't. So she's prompted to do so.

If you had no PassPolicy before or the max password days value is much
higher than the new value you want to set, it is recommended to slowly
decrease the "max password days" value to not catch all of the users but
always a small bunch of them.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html


.

Relevant Pages

  • Re: SOX compliant .. different password policy need for privil
    ... I am curious to know if once a forest and a root domain is created, ... have the password policy for the new ... match the existing domain, move all user accounts to the new domain, ... and keep the privileged accounts in the existing domain (after all ...
    (microsoft.public.win2000.active_directory)
  • Re: SOX compliant .. different password policy need for privil
    ... have the password policy for the new domain ... the password policy on the forest root domain to meet the SOX ... and force all administrative accounts to reset their passwords under the ... policy for all privilege accounts however our Win2003 forest consist ...
    (microsoft.public.win2000.active_directory)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > Domain Wide Password policies cannot be blocked by OU ... Someone else mentioned that it would only affect local accounts (local ... whatever password policy the domain controllers were given would ...
    (Focus-Microsoft)
  • Re: Importing users with CSVDE when password policy is set
    ... I have a Windows 2000 Domain and I’m trying to Import a list of new users using the CSVDE tool. ... Importing directory from file "HR_ADImport3.csv" ... How can I go about either importing the accounts with a default password or removing my password policy ... Then we turned the password policy back to what it should be for operations. ...
    (microsoft.public.win2000.active_directory)
  • RE: Local Accounts
    ... domain user accounts administrators on the local machine. ... This will give them admin rights on the local machine ... though I can do this for the Administrator account as well. ...
    (microsoft.public.windows.server.sbs)