Re: Default Domain Policy - Password Chg 90 days

it's a particular case, it's in the computer section because the user database is computer based and we don't want the user to be able to change this setting.

Do you have read the link i provided ?
http://technet2.microsoft.com/windowsserver/en/library/039e8d42-fe50-4738-abf3-c798e74a03f61033.mspx?mfr=true



--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"al" <al@xxxxxxxxxxx> wrote in message news:1189481315.194283.267920@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am not talking about password history. I am talking about maximum
password age. And I don't want to get into the security issues of
setting a password to not expire. There are certain accounts that have
to be this way.

The default domain policy has maximum password age under computer
setting which doesn't make any sense. How is this applied to a domain
user when it is a computer configuration setting? Does that mean that
any domain user that logs onto a computer that is on the domain has to
change their account every 90 days? Or is it used for local accounts
that log into computers on the domain which allows for backwards
compatibility? That is what I have been told.

My understanding of this setting was that it required domain users to
change their passwords every 90 days (or whatever you set it to) But
that doesn't make a lot of sense, since this is a computer
configuration setting!!! So, WHERE is the user's setting requiring
them to change their password every XX days configured for a domain
user - it is NOT being done through local GPOs. Local GPOs are not in
use.

TIA
al


On Sep 10, 10:46 am, al <a...@xxxxxxxxxxx> wrote:
W2k3 Native Mode Domain: From what I understand, the default domain
policy that contains the setting "Maximum password age" 90 days really
applies to computer objects and NOT user objects. Which allows for
backwards compatability. So where does the user get their password
history enforcement from? They are required to change their passwords
every XX days in our domain but now I am not too sure where they are
getting this from if the above setting is only applied to computer
objects and local accounts. I've heard that this is set in a domain
profile? The reason I am asking is that we have some accounts that we
set "password never expires" on and I want to know how this overrides
a domain GPO. There is not an OU GPO that allows for this exception -
there is no exception.

TIA
al



.

Relevant Pages

  • Re: Default Domain Policy - Password Chg 90 days
    ... Mathieu CHATEAU ... There are certain accounts that have ... Or is it used for local accounts ... > user - it is NOT being done through local GPOs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default Domain Policy - Password Chg 90 days
    ... There are certain accounts that have ... user when it is a computer configuration setting? ... Or is it used for local accounts ... user - it is NOT being done through local GPOs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password "security" - was"Passwords with Lan Manager (LM) under Windows" and
    ... using local accounts, one could easily boot to an alt OS and replace the SAM ... since the local admin owns the EFS ... > Regarding laptop security, you're in the same boat as the rest of us. ...
    (Pen-Test)
  • Re: Multiple Applications on TS
    ... Why on earth would you want to maintain local accounts, ... MCSE, CCEA, Microsoft MVP - Terminal Server ... > server,the group policy is not in effect.Is group policy meant ...
    (microsoft.public.windows.terminal_services)
  • Re: External Trust - Cant see share contents
    ... Use the universal groups to configure the share access permissions. ... Windows Server 2003 Domain with an External Trust to the remote ... are Share = Local group with local accounts have Change. ...
    (microsoft.public.windows.server.active_directory)