Re: AD User Password Policies

Hmm.

Will this override the "Password does not expire" checkbox under Right-click
+ Properties? I really don't wanna have to reset the passwords on my service
accounts every 30 days!

Pancake Smeckendeugler

"Paul Bergson" wrote:

> All domain accounts.
>
> The system doesn't know what the difference is between a user account and a
> service account.
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "schmeckendeugler" <schmeckendeugler@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:0EF33570-82E6-45FD-AB6D-AF575990BD61@xxxxxxxxxxxxxxxx
> > OK,
> >
> > so that must include all service accounts, administrator accounts, etc.??
> >
> >
> >
> > "Ulf B. Simon-Weidner [MVP]" wrote:
> >
> >> "schmeckendeugler" <schmeckendeugler@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> message news:7630A718-C9DF-4952-8C02-F9742427261C@xxxxxxxxxxxxxxxx
> >> > Greetings.
> >> >
> >> > I have questions RE applying Password Policies. I have an AD running on
> >> > 2
> >> > 2k+3 DC's. First:
> >> >
> >> > -I notice that a group policy to control user passwords is actually a
> >> > machine policy. What would be the best OU to apply this to? I have
> >> > separate
> >> > OU's for users and machines.
> >> >
> >> > -I want users to reset passwords every 30 days, but the annoying pop-up
> >> > comes TWO WEEKS before they are required to change their password. Is
> >> > this
> >> > time limit hackable?
> >> >
> >>
> >>
> >> Hello Schmeckendeugler,
> >>
> >> if you change the password policies at any other level than the domain
> >> level
> >> it applies only to the local accounts of the computers where the policy
> >> applies to.
> >>
> >> If you want password policies to apply to domain users you need to set
> >> them
> >> in a policy which applies to the domain object (or the Default Domain
> >> Policy).
> >>
> >> The time limit is a policy as well, which applies to the computer
> >> objects.
> >> Look in Computer Configuration \ Windows Settings \ Security Settings \
> >> Local Policies \ Security Options for Interactive Logon: Prompt user to
> >> change password before expiration.
> >>
> >> --
> >> Gruesse - Sincerely,
> >>
> >> Ulf B. Simon-Weidner
> >>
> >> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> >> Weblog: http://msmvps.org/UlfBSimonWeidner
> >> Website: http://www.windowsserverfaq.org
> >>
>
>
>
.

Relevant Pages

  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Re: Password Policy Basics
    ... but assumed the POLICY would be applied to ALL ... so lcoal machines might start enforcing that policy on ... No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states. ... I was thinking of service accounts on the servers... ...
    (microsoft.public.windows.group_policy)
  • RE: Group Policy: multiple password policies in the same domain?
    ... there can only be 1 password policy for each account ... affect the local accounts on the servers in scope of that GPO. ... time I'm trying to enforce stronger passwords for service accounts like ... Would applying the policy to a specific set of computers affect only the ...
    (Focus-Microsoft)
  • Re: Windows 2000 users accounts get locked out
    ... I have disabled my accounts lockout policy in my ... >account logon events enabled in Domain Security Policy ... and Domain Controller ...
    (microsoft.public.win2000.security)
  • Re: AD 2000, Blank passwords, and Group Policy
    ... I set up an account with password policy enforced and experienced the same as you ... The only thing I can suggest is to leave the accounts as they ... accounts to change password at next logon. ... I could set the policy to not enforce this until after all ...
    (microsoft.public.win2000.security)