Re: Where to set the domain password policy up?
From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 02/05/04
- Next message: Jag: "Re: Using ADAM with the authorization manager"
- Previous message: MS: "Offline Files - "Files not cached" setting won't work..."
- In reply to: Dmitry Korolyov [MVP]: "Re: Where to set the domain password policy up?"
- Next in thread: Derek Melber [MVP]: "Re: Where to set the domain password policy up?"
- Reply: Derek Melber [MVP]: "Re: Where to set the domain password policy up?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 5 Feb 2004 17:13:40 -0600
Hi,
I'm going by the Active Directory design documentation that states that the only policies that must be set at the domain level are:
password policy (min password age, min password length, etc.)
account lockout policy
kerberos ticket policy
These policies cannot be applied to an OU, so if an organization requires that some users have a different password policy, they must create a separate domain. However, this applies to domain user accounts. Local accounts might be different, and I know that computer accounts have their password changed every 30 days, even if domain users have some other policy. I think a password policy applied to the DC OU would affect the DC accounts, but not any user accounts in the OU, unless I'm confused. Of course, you can allow individual users to not require a password, or have a password that never expires. It's just that if the password expires, the domain password policy applies.
-- Richard Microsoft MVP Scripting and ADSI HilltopLab web site - http://www.rlmueller.net -- "Dmitry Korolyov [MVP]" <d__k@removethispart.mail.ru> wrote in message news:%239EwjhD7DHA.2952@TK2MSFTNGP09.phx.gbl... I'd question that statement. Account Policies applied to Domain Controllers apply to all accounts stored on domain controllers - that is, to all domain accounts in that domain! For all other OUs yes - account policies apply only to local user accounts on the computers located in these OUs. On the subject, I'd say apply at the domain level still - to have consistent policy for domain accounts in the domain as well as for local accounts on all computers in that domain. -- Dmitry Korolyov [d__k@removethispart.mail.ru] MVP: Windows Server - Active Directory "Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message news:%23UvcMOD7DHA.2168@TK2MSFTNGP12.phx.gbl... Spin wrote: > Is it better to set a domain password policy up at the domain node level > (domain.gov, the properties of the domain node icon showing near the top > left of AD Users and Computers), or is it better to set up the domain > password policy up in properties of the Default Domain Controllers OU of the > domain in question? Hi, Password policies can only be applied at the domain level. You can make entries at the OU level, but they have no affect. -- Richard Microsoft MVP Scripting and ADSI HilltopLab web site - http://www.rlmueller.net --
- Next message: Jag: "Re: Using ADAM with the authorization manager"
- Previous message: MS: "Offline Files - "Files not cached" setting won't work..."
- In reply to: Dmitry Korolyov [MVP]: "Re: Where to set the domain password policy up?"
- Next in thread: Derek Melber [MVP]: "Re: Where to set the domain password policy up?"
- Reply: Derek Melber [MVP]: "Re: Where to set the domain password policy up?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
