Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain and local password policy

Status
Not open for further replies.
IS300

IS300

MIS
Oct 29, 2003
121
0
0
CA
We have a domain password policy that requires users to change their password every so often, have minimum length, etc..

Some of the users have special laptops, and they log in locally to perform their tasks, not the domain.

The local account is similar on all these computers, but the password they use doesn't match the minimum length.

Is there a way to have a separate local account policy that goes into affect when they log onto the local machine and not the domain?

This way the local account password doesn't get affected by the domain account policy.

Thanks,
 
Sort by date Sort by votes
you could script this...

lets say you put these users in an OU, OU1 and apply a GP to it. Make another OU, OU2 just for parking.

now have a script that moves any users from OU2 to OU1 every say hour.

When ppl logon to domain they will have policy applied because theyre in OU1, when they logoff a logoff script runs that moves them from OU1 to OU2 and policy will get un-applied and local policy will take priority..you see what im getting at ?

I'm not at all sure this will work but maybe an idear to work on.

brgds Nicolai
 
Upvote 0 Downvote
I understand that if you put a password policy on an OU, it gets overwritten by the domain default policy.

I read that although it gets overwritten when you log onto the domain, the OU password policy takes affect on local accounts when you log in as a local user. Is this true? I've tried this but the domain default policy still seems to overwrite it.

Thanks,
 
Upvote 0 Downvote
yes youre right, i forgot about the special overwrite for password policy.
so it would demand setting no password policy on domain, and put it in a GP and apply this to the OU s as needed.

When thinking about it, im not sure this idear would work anyway.

so the solution would be to have the users use a domain account to login. They can do this even when offline as winXP cashes the login info.

Im think this is best anyhow for administrative reasons.

brgds Nicolai
 
Upvote 0 Downvote
So I would have to have no domain password policy for the local password policy in the OU to work? Is that correct?

The reason why we need two password policies is that users have a local account that they log onto to run this software. The people who programmed that software don't know what they're doing, so they created these local administrator accounts with a three letter password.

So when the user logs onto the domain we want them to have our secure password, but when they log in locally to run the software, they need to use the account and password that was setup for them by that software.

Stupid.

Thanks though.
 
Upvote 0 Downvote
If just you could change the code to use a local security group instead of a user, you would be able to add a domain user to this group.

youre right, hardcoding a local user in a modern AD network seems...well

good luck

brgds Nicolai
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
181
goombawaho
goombawaho
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
75
hairlessupportmonkey
hairlessupportmonkey
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
53
strongm
strongm
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
163
fredmartinmaine
fredmartinmaine

Part and Inventory Search

Sponsor

Back
Top