Re: 2003 Domain Password Policy with NT 4.0 Workstations
From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 02/12/04
- Next message: Ali: "Re: users logged on but denied share access"
- Previous message: Janet James: ""the role owner attribute could not be read": reason?"
- In reply to: Rob Lowe: "Re: 2003 Domain Password Policy with NT 4.0 Workstations"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 11 Feb 2004 22:03:57 -0700
The only way to exclude users from adhering to the domain password policy is
to have them logon with a local user account, which is not a great idea. If
you want to have multiple password policies, the answer is two domains.
Sorry, but that is the way it works. What you propose won't work, since you
are attempting to apply a computer policy to a user. The password policy is
a computer setting and only applies to a computer object.
-- Derek Melber "Rob Lowe" <none> wrote in message news:OFrMH0N8DHA.1504@TK2MSFTNGP12.phx.gbl... > Thanks for your prompt reply! > > I don't want to apply a restrictive password policy to my users still > running Windows NT 4.0, so would the following scenario work? > > 1. Modify the Default Domain Policy and remove the Account > Policies/Password Policy settings. > 2. Create a new GPO object and define the Account Policies/Password Policy > settings here. > 3. Define security so that the GPO with defined Account Policies/Password > Policy settings is only processed by security group containing user accounts > that have been migrated to Windows XP. > > If this scenario would work, should this GPO be linked before or after the > Default Domain Policy is processed? > > Thanks! > > "Derek Melber [MVP]" <derekm@braincore.net> wrote in message > news:eh0nEED8DHA.2676@TK2MSFTNGP10.phx.gbl... > > Yes it would, if they are authenticating to Active Directory. Remember, > > Account POlicies are not user or client computer based... they are DC > based. > > They modify the DC to allow or disallow certain passwords. It is a filter > on > > the DC that forces the rules. So, if a Windows NT Workstation is joined to > > the AD domain, it will adhere to the Account Policy that is in place on > the > > domain. > > > > -- > > Derek Melber > > > > "Rob Lowe" <none> wrote in message > > news:OF4B69C8DHA.2028@TK2MSFTNGP10.phx.gbl... > > > My client is in the process of migrating from Windows NT 4.0 SP6 with > the > > > AD-aware client to Windows XP SP1. > > > > > > We would like to apply a more stringent password policy to the domain to > > > force periodic password changes, retaining password history and > requiring > > > complex passwords. > > > > > > The question is: Would application of this password policy to all > > > Authenticated Users in the domain apply to users logging on from a > Windows > > > NT Workstation? (I believe that they would not since GPO's should not > be > > > processed by Windows NT computers, but I'm just looking for validation). > > > > > > Cheers! > > > -Rob > > > > > > > > > > > >
- Next message: Ali: "Re: users logged on but denied share access"
- Previous message: Janet James: ""the role owner attribute could not be read": reason?"
- In reply to: Rob Lowe: "Re: 2003 Domain Password Policy with NT 4.0 Workstations"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
