Re: AD User Password Policies

All domain accounts.

The system doesn't know what the difference is between a user account and a
service account.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"schmeckendeugler" <schmeckendeugler@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:0EF33570-82E6-45FD-AB6D-AF575990BD61@xxxxxxxxxxxxxxxx
> OK,
>
> so that must include all service accounts, administrator accounts, etc.??
>
>
>
> "Ulf B. Simon-Weidner [MVP]" wrote:
>
>> "schmeckendeugler" <schmeckendeugler@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> message news:7630A718-C9DF-4952-8C02-F9742427261C@xxxxxxxxxxxxxxxx
>> > Greetings.
>> >
>> > I have questions RE applying Password Policies. I have an AD running on
>> > 2
>> > 2k+3 DC's. First:
>> >
>> > -I notice that a group policy to control user passwords is actually a
>> > machine policy. What would be the best OU to apply this to? I have
>> > separate
>> > OU's for users and machines.
>> >
>> > -I want users to reset passwords every 30 days, but the annoying pop-up
>> > comes TWO WEEKS before they are required to change their password. Is
>> > this
>> > time limit hackable?
>> >
>>
>>
>> Hello Schmeckendeugler,
>>
>> if you change the password policies at any other level than the domain
>> level
>> it applies only to the local accounts of the computers where the policy
>> applies to.
>>
>> If you want password policies to apply to domain users you need to set
>> them
>> in a policy which applies to the domain object (or the Default Domain
>> Policy).
>>
>> The time limit is a policy as well, which applies to the computer
>> objects.
>> Look in Computer Configuration \ Windows Settings \ Security Settings \
>> Local Policies \ Security Options for Interactive Logon: Prompt user to
>> change password before expiration.
>>
>> --
>> Gruesse - Sincerely,
>>
>> Ulf B. Simon-Weidner
>>
>> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
>> Weblog: http://msmvps.org/UlfBSimonWeidner
>> Website: http://www.windowsserverfaq.org
>>


.

Relevant Pages

  • RE: Group Policy: multiple password policies in the same domain?
    ... the policy is just ignored. ... Subject: Group Policy: multiple password policies in the same domain? ... I'm trying to lock down some domain "service" accounts (backup, ... time I'm trying to enforce stronger passwords for service accounts like ...
    (Focus-Microsoft)
  • RE: Group Policy: multiple password policies in the same domain?
    ... I'd suspected that you might be able to use a different GPO at the same level but having never tested it I didn't want to committ it to writing! ... Subject: Group Policy: multiple password policies in the same ... You can only affect domain> accounts at the domain level, but you do NOT have to use the> "Default Domain Policy" GPO. ...
    (Focus-Microsoft)
  • Re: Local setting vs. Effective setting w/ GP??
    ... Password policies do not override local policies. ... >>> local policy affects local account meanwhile domain policy affects domain>> accounts. ...
    (microsoft.public.win2000.active_directory)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Re: Password Policy Basics
    ... but assumed the POLICY would be applied to ALL ... so lcoal machines might start enforcing that policy on ... No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states. ... I was thinking of service accounts on the servers... ...
    (microsoft.public.windows.group_policy)