Domain Newbie 2

mrblonde · Sep 26, 2003

Hello,

I just got a job and am working on a domain based network for the first time. It was all p2p for me up until now. I've been given the task of setting up the password policy so that every 90 days the users are prompted to change their passwords. We'd also like to enforce a policy of 8 charachters. I'm digging in the user proprties and in the domain security but have not been able to find the right configuration. Any advice would be greatly apperciated.

thanks,
Mr. Blonde

tahoe2 · Sep 26, 2003

You'll need to change that in security policy. Click START>RUN and type MMC. Click CONSOLE>ADD/REMOVE SNAP IN and click ADD.
Add Security Templates and open the SECUREWS template. adjust the account policies, then apply.

Hope this helps!

Corie

Tekmazter · Sep 26, 2003

.
.
Uhhh, correct me if I'm wrong, but in a domain ---

I think it would be easier to just open the domain policy editor and set the Accont Password Policies to exactly what you have asked for. There's an option for exactly what you want to do here.

In the group policy editor:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/500.asp

mrblonde · Sep 26, 2003

Thanks tahoe2,

Can I ask, will this work for the Terminal Clients as well?

Mat

Tekmazter · Sep 26, 2003

YES

--user accounts are managed by the domain controller. Terminal Services accounts (if you're using the one's from the domain) will also fall under this. However, if you create local accounts on the machines and have users login with those, it is possibly to have a separate policy take effect of accounts. This would only be the case though if you went into the local machine policy editor and changed the settings to something other than what is being pushed out by the domain controller.

tahoe2 · Sep 26, 2003

As long as they authenticate through the domain where you set the policy, yes.

Learn all you can about Active Directory, because Group Policy is easily implemented that way. You can have levels of security that you just don't get when you set policy domain-wide.

Corie

mrblonde · Sep 26, 2003

Thanks for the responses. Where can I find the group policy editor. I feel like an idget for asking but I want to be sure. I've looked in the Domain Security Policy and in the Domain Controller Security Policy and both have password settings in them. Sounds like your talking about a different location though tek...

Seaspray0 · Sep 26, 2003

You have found the right location in the domain security policy. It works something like this.... your enterprise can have many policies applied at different levels of the active directory structure and they are applied in this order: local, site, domain, top level organizational units, sub organizational units.

2000 comes with 3 default policies built in... local applies to the local computer, default domain policy (applied at the domain level), and default domain controller's policy (applied to the domain controllers organizational unit in active directory).

You can add new policies (even have more than one policy at the same level) but keeping the number of policies down helps improve loggon time. You can manage your site policies through sites and services, domain and organizational unit policies through active directory users and computers, and local policy through manage my computer... or you can use the microsoft management console and add an instance of group policy for each of your policies and manage them all from one place. Administrative tools provides management console shortcuts to the default policies when you made the computer a domain controller.

Like setting access on shared folders, implimenting a policy on an specific organizational unit only affects the objects in that level and sub levels. To help you understand how they work, do the following exercise;

open active directory users and computers. right click the domain and select properties. Go to the group policy tab. See the default domain policy? It applies to every object in the domain. Close that and right click the domain controller's OU. Properties, group policy tab. See the default domain controller's policy? It only affects the computers and users in the domain controller's OU. Policies do not affect groups, only user and computer objects in active directory.

As you can see, you can edit or delete existing policies or add new ones. Also notice that when you edit the policies from active directory, they are subdivided into two sections: computers and users. computer policies are applied only to computers when the computer is turned on. user policies are applied only to users whey they log on.

Since you want your policy to be domain wide, edit the default demain policy to set your password policies. It will take time to refresh the policy through the domain (about 45 minutes) or when the computers are rebooted or user logs in again.

mrblonde · Sep 29, 2003

That was a lot to type. Extremely useful and I apperciate the practice example.

Thanks alot.

Mat

OLDMO · Sep 29, 2003

I don't expect you to type it out but where would I go to read something about how to set up varios policies for different users on a domain?

-Ryan

mrblonde · Sep 29, 2003

SeaSpray0 that was one the best tips I have ever gotten on this site. Thanks a million.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Domain Newbie 2

mrblonde

Technical User

tahoe2

IS-IT--Management

Tekmazter

IS-IT--Management

mrblonde

Technical User

Tekmazter

IS-IT--Management

tahoe2

IS-IT--Management

mrblonde

Technical User

Seaspray0

Technical User

mrblonde

Technical User

OLDMO

MIS

mrblonde

Technical User

Similar threads

Part and Inventory Search

Sponsor