Re: Second domain
- From: "JPolicelli [MVP-DS]" <JPolicelliMVPDS@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Jan 2009 12:39:02 -0500
Each domain has its own Password Policy, so creating a new domain in the existing forest will allow you to use a different Password Policy for the given users.
In Windows Server 2008, you can leverage fine-grained password policies, which allow you to create multiple password and account lockout policies in a domain. However, this requires a domain functional level of Windows Server 2008, which means 1) all of your existing domain controllers mush have Windows Server 2008 installed and 2) you cannot add any domain controllers in future that have an operating system version that is lower than Windows Server 2008.
There are third-party solutions that allow you to create multiple password policies within a single domain. Do a search for "Active Directory password filters" and you should find a fair number of them.
--
JPolicelli, MVP - Directory Services
http://www.policelli.com
http://policelli.com/blog
This posting is provided AS IS with no warranties and confers no rights. Always plan and test.
----
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message news:ewIHrn9fJHA.5408@xxxxxxxxxxxxxxxxxxxxxxx
"Joe Brown" <JoeBrown@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:C693BBC1-30E4-48A1-A645-17923041AF25@xxxxxxxxxxxxxxxx.I may need to setup a 2nd domain to move a group of users to in order to have
a separte password policy for those users. Is there documentation for doing
this that someone can point me to? I searched some on the MS site but didn't
see what I was looking for. This is a 2003 Server environment. I know how
to promo the DC and create the domain, but can I just drag and drop users
from one domain to the new one?
I'm not sure but you might be able to create a Child Domain then have a different Policy within it,...and it would still be in the same Forest. But if that won't work I guess you will have to create a New Forest and a New Domain.
But in either case the "Objects" have to be migrated from one place to the other. This is done with the Active Directory Migration Tool (ADMT). It should already be on your DC or on the Install CD,...but you can just download the latest version from MS's site and that would probably be better. You can download the documentation for it as well,...and then be sure to study it. This isn't something you want to take a chance on doing wrong the first time.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
- References:
- Second domain
- From: Joe Brown
- Re: Second domain
- From: Phillip Windell
- Second domain
- Prev by Date: Re: ADrestore
- Next by Date: Re: HelpServicesGroup missing
- Previous by thread: Re: Second domain
- Next by thread: Re: Second domain
- Index(es):
Relevant Pages
|
