Re: password complexity

---

• From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
• Date: Tue, 30 Aug 2005 11:30:00 -0400

---

Personally, I'd remove all password policies other than the global. That
includes the old NT 4 BDC and the OU based policy.




"Neil Rentuma" <NeilRentuma@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E98097E8-EC11-4EA7-BE51-84CF8582F352@xxxxxxxxxxxxxxxx
> Paul,
>
> I read your posting and believe I am experiencing something similar. We
> have an NT4 BDC that appears to assign its old Password Policy, then there
> is
> our Default Domain Controller OU that has its own Password Policy and then
> there is our Default Domain Global Policy with the Password Policy we
> really
> want applied throughout the Domain.
>
> From your response, I think that the all the Policies are contending. I
> believe this when I run the command <<net account>> on any given
> workstations
> or server and see different Password Security Settings being applied.
>
> What is the best approach at changing all of these Policies to one that is
> applied to all of our Users?
>
> Thanks in advance,
> Neil Rentuma
> 515.281.8326
> nrentuma@xxxxxxxxxxx
> nrentum@xxxxxxxxxxxxxxx
>
>
> "Paul Williams [MVP]" wrote:
>
>> Password policies can only be applied at the domain level; anywhere else
>> and
>> they only apply to the local SAM of any computer objects within scope.
>> If
>> you want different password complexity requirements for some users you
>> will
>> require a separate domain.
>>
>> Think about it, you're logging on via the DCs; that is, the DCs are doing
>> the auth not the computers in the OU.
>>
>> --
>> Paul Williams
>> Microsoft MVP - Windows Server - Directory Services
>> http://www.msresource.net | http://forums.msresource.net
>>
>>
>>


.

---

• Follow-Ups:
  • Re: password complexity
    • From: Neil Rentuma

• References:
  • Re: password complexity
    • From: Neil Rentuma

• Prev by Date: Re: trouble with deleted accounts
• Next by Date: Redirected My Documents and Offline files
• Previous by thread: Re: password complexity
• Next by thread: Re: password complexity
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Group Policy: multiple password policies in the same domain? ... I'd suspected that you might be able to use a different GPO at the same level but having never tested it I didn't want to committ it to writing! ... Subject: Group Policy: multiple password policies in the same ... You can only affect domain> accounts at the domain level, but you do NOT have to use the> "Default Domain Policy" GPO. ... (Focus-Microsoft) Re: Local setting vs. Effective setting w/ GP?? ... Password policies do not override local policies. ... >>> local policy affects local account meanwhile domain policy affects domain>> accounts. ... (microsoft.public.win2000.active_directory) Re: ADAm password policies ... Thanks to you & Lee. ... password policies ... This difference means I might have to write that policy into the ... My sense so far in working with ADAM is that MS has not divorced it well ... (microsoft.public.windows.server.active_directory) Re: AD User Password Policies ... machine policy. ... if you change the password policies at any other level than the domain level it applies only to the local accounts of the computers where the policy applies to. ... Look in Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options for Interactive Logon: Prompt user to change password before expiration. ... (microsoft.public.windows.server.active_directory) Re: Assign password policy to OU ... Password policies defined in the Default Domain Policy GPO apply to ALL ... I created an OU called 'Estimators' and created a GPO called Estimator ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-08