Re: AD User Password Policies

OK,

so that must include all service accounts, administrator accounts, etc.??



"Ulf B. Simon-Weidner [MVP]" wrote:

> "schmeckendeugler" <schmeckendeugler@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:7630A718-C9DF-4952-8C02-F9742427261C@xxxxxxxxxxxxxxxx
> > Greetings.
> >
> > I have questions RE applying Password Policies. I have an AD running on 2
> > 2k+3 DC's. First:
> >
> > -I notice that a group policy to control user passwords is actually a
> > machine policy. What would be the best OU to apply this to? I have
> > separate
> > OU's for users and machines.
> >
> > -I want users to reset passwords every 30 days, but the annoying pop-up
> > comes TWO WEEKS before they are required to change their password. Is this
> > time limit hackable?
> >
>
>
> Hello Schmeckendeugler,
>
> if you change the password policies at any other level than the domain level
> it applies only to the local accounts of the computers where the policy
> applies to.
>
> If you want password policies to apply to domain users you need to set them
> in a policy which applies to the domain object (or the Default Domain
> Policy).
>
> The time limit is a policy as well, which applies to the computer objects.
> Look in Computer Configuration \ Windows Settings \ Security Settings \
> Local Policies \ Security Options for Interactive Logon: Prompt user to
> change password before expiration.
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> Website: http://www.windowsserverfaq.org
>
.

Relevant Pages

  • RE: Group Policy: multiple password policies in the same domain?
    ... the policy is just ignored. ... Subject: Group Policy: multiple password policies in the same domain? ... I'm trying to lock down some domain "service" accounts (backup, ... time I'm trying to enforce stronger passwords for service accounts like ...
    (Focus-Microsoft)
  • RE: Group Policy: multiple password policies in the same domain?
    ... Domain password policies must apply to machines at the domain level. ... The password policy for all domain accounts must be set at the default ... If you set password policy in an OU, it will affect the LOCAL accounts ...
    (Focus-Microsoft)
  • RE: Group Policy: multiple password policies in the same domain?
    ... I'd suspected that you might be able to use a different GPO at the same level but having never tested it I didn't want to committ it to writing! ... Subject: Group Policy: multiple password policies in the same ... You can only affect domain> accounts at the domain level, but you do NOT have to use the> "Default Domain Policy" GPO. ...
    (Focus-Microsoft)
  • Re: AD User Password Policies
    ... All domain accounts. ... service account. ... >>> I have questions RE applying Password Policies. ... >>> machine policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local setting vs. Effective setting w/ GP??
    ... Password policies do not override local policies. ... >>> local policy affects local account meanwhile domain policy affects domain>> accounts. ...
    (microsoft.public.win2000.active_directory)