Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2003 server password complexity/User profiles 1

Status
Not open for further replies.

t4z

Technical User
Oct 13, 2003
27
GB
hi guys,

any help appreciated. this is driving me insane. Please note i have already created my users and if need be can recreate them.

The situation: Have created an OU under my Domain (abc.local)

Ou is called staff.
On this OU have created a group policy linked to this OU and blocked inheritance.
Have configured the password policies under comp config to minimal i.e. Disable password complexity and minimum length =1 etc etc.

Have also configured adminstartor access to user profile.

Have ran gpupdate /force on the Server.
These settings are not propogating. My users are no way going to be able to create such complex passwords and even if they do it is going to cause hassle beacause they will forget (OR EVEN WRITE THEM ON POST-IT NOTES STUCK TO MONITORS)

I have created a standard user and created all accounts by copying this user. However I set these policies before even creating the standard user

These two problems I cannot resolve. Any help would be great.

Thanks
T
 
Domain password policy can only be set at the domain level not the OU level, if you look in the default domain policy you will see the defaults set there. This is where you will need to dissable the policy.
 
hey bofrevenge2,

I have set a group policy on the OU and this is possible. The first thing I did was disable the password policy on the default domain policy and this did not work.

Have done some research its quite possible that it is set under default DOMAIN CONTROLLERS policy. Will try it and give feedback.

By OU i mean I right clicked my domain (abc.local)---New---Organisational Unit. Named this staff and then right clicked this OU---Properties---GPO---New---Created a new GPO for this OU
 
Yes you have created the OU correctly, you just can't set password policy at this level.
 
hey bofrevenge2,

Okay here is the score. I have no idea why this is. I diasbled all password settings in DEFAULT DOMAIN POLICY and DEFAULT DOMAIN CONTROLLERS POLICY, still did not work.

For some reason i then went into gpedit.msc and changed/ disabled everything there. IT WORKED!!!!!!! All my users can now set whatever password they like.

If anyone knows why, an explanation would be nice. I am under the impression that gpedit.msc is the local group policy snap in for my domain controller box and should not affect domain issues such as this?

Cheers
T
 
Running Gpedit.msc on a DC should just reflect the settings that are set in the domain policy or the default domain controllers policy so it is a bit odd.
Did you try selecting no override on the default domain policy?

Out of curiosity are you a high school?
 
Hey,

The is no 'no overide' option. I am using GPMC. However there is an 'enforce' option (maybe new in 2003?) and yes it was enforced on default domain policy.

We're not a high school?? why do you ask?. A very good friend of mine is an administrator at a high school and even he didn't know what was going on here and high school administrators are normally very good at this kind of stuff?

 
To quote "My users are no way going to be able to create such complex passwords and even if they do it is going to cause hassle beacause they will forget (OR EVEN WRITE THEM ON POST-IT NOTES STUCK TO MONITORS)"

This is very common in schools i've worked in quite a few and was just wondering.
 
hi bofhrevenge2,

Any ideas on creating a standard desktop and start menu and users can't fiddle with. i.e. give them access to programs they ony require such as office, ie and custom built software?

really want to lock the machines down so they can't install progams, download them etc to prevent headache in the future?

cheers
T
 
Yes I use the folder redirection feature in active directory and it works very well.

I use the Basic - Redirect everyone's folder to the same location setting, I then redirect the desktop and start menu to separate hidden shared folders e.g. \\server\profiles$\desktop. This works great and has the bonus that if I want users to see a new shortcut I just put it in the shared folder and it appears on everyone’s desktop or start menu (everyone in that OU anyway).

Give it a test I think you'll agree it's pretty easy to manage.

Oh and make the folders read only to the users then they can't alter the desktop or start menu.
 
Thats Great,

What I have at the moment is a default profile in nelogon\default user. This will be the start menu and desktop users can have at the moment. This is allow me roll out this weekend. Do you think it would be possible to keep this for the time being and then set up and deploy your method with causing interuption. I'm guessing it wont cause interuption as its just a matter of redirecting the folder and applying the GPO to that OU. Can you foresee any problems with deploying this once users have settled in rather thank deploying this from the beginning. Thanks for all your bofhrevenge2 all these matters. I appreciate you passing on knowledge in your area of expertise.

Thanks
T
 
This should work just fine as it's almost the same way I rolled our setup out.

I would create a test user that uses the profile in the Netlogon folder (identical to current users) then create an OU with the folder redirection setting that you want and test it.

I can't foresee any major problems that a bit of testing won't help you avoid.

You might find that shorcuts in all users are still added to the start menu (again testing will show this) if this is the case there is a policy you can set to remove them. User Config - Admin Templates - Start Menu and Taskbar - Remove common program groups from start menu

Let me know how you get on.
 
I actually specify that users have their own profiles folder (in their My Documents folder on the server so setting roam with them) and set this in the users properties tab in active directory.
The group policy then overrides the start menu and desktop parts of this so they receive the same as everyone else but internet shortcuts and other "personal" settings are still per user.

If you use a mandatory profile at present then you will need to test it the GPO redirection still works. It should.
 
Okay, I have set them up as roaming profiles. Slightly different to the way you did. Their profiles still sit on the server on shared folder and they are linked to this via they profile tab. My docs for each user is on a searate shared folder on the network and they connect to it via the local profile path which is the u:\. The reason i did this was to prevent my docs being uploaded with the profile each time user logs on as this folder can get quite big. I will definately test this out before hand as i dont want to create any disruptions. However this will be next weekend. I also set them up so they each have an outlook folder in their my docs so their email will roam with them as well. We dont have exchange here. we are using a internet based pop3 mail server unfortunately.

I have tried getting your email address by clicking on your name however it error out. Will keep posting here for the time being.

Out of curiosity what do you do? contractor? you seem very knowledgeable in this field, how long have been in this field?

Cheers
Once Again
 
Your email is setup the same as ours I store the users .pst files in their MyDocs folder too (the MyDocs also reside on the server as it would take all day to logon otherwise). We are hoping to move to Exchange or other solution sometime soon.

I'm not a contractor and I wouldn't say I’m super knowledgeable but I have worked in several schools rolling out networks with 1400 + roaming users mostly moving them from NT4/98 to 2000/2003 server and 2000/XP clients. You tend to pickup quite a bit about profiles and shared desktops in an environment like that.

Cheers.
 
Hey,

Excellent, keep me posted on whether you go ahead with an exchange roll out. I want to do it soon as well. I have tried it before. Have heard its quite painful. My domain I think is setup correctly in terms of DNS and everything else. I would like to do this but just don't have the confidence yet.

Cheers
 
I have a friend who does no end of Exchange installs and as far as i can tell a couple of test runs and the right book should see you fine for a single server setup. I installed Exchange 5.5 and ran it for a while and it was fairly straight forward (although quite different to 2003).

I'll keep you posted.
 
Nice one,

Thanks for the help.
 
Excellent advice, bofhrevenge2

I've set up several clients that way and it works flawlessly.

Note: You may want to keep a close eye on server storage space, it can be consumed quickly with this setup.



MCSE CCNA CCDA
 
Thanks dearingkr. I know what you mean as regards disk space, 1000+ poorly trained users putting multiple 5meg digital photos or A4 scans into Word and Publisher docs can soon use up a awful lot of space.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top