Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password Policies

Status
Not open for further replies.
dtk3

dtk3

MIS
Feb 24, 2004
44
0
0
CA
Hello. Please let me know if I should be posting this in the Windows 2000 Server forum instead.

I need to set up two password policies for one domain. A group has been created for the users that are supposed to be 'governed' by the password policy. I have figured out how to configure a password policy for the entire domain but I can't seem to get it to apply to one group of users only. It seems to be either all or none.

When I go to the properties of my new GPO I can set who the policy applies to. I add my group and under the 'Apply Group Policy' I check off 'Allow'. I have tried selecting 'Deny' for the Authenticated Users group as well as not selecting anything and even removing Authenticated Users from the listing. The policy is still not applied to the group I added. If I select 'Allow' to apply the policy for the Authenticated Users it applies it to everyone. I'm assuming all users are covered under 'Authenticated Users' so should I delete this entry from the security list or leave it as 'Deny' the application of the policy?

I have moved the Password Policy to the top of the list of policies.

How do I apply this password policy to the group of users only and not all users on the domain?

Thanks.
DTK
 
Sort by date Sort by votes
You would probably get a better response in the Windows 2000 forum but I'll do my best to answer your question.

Unfortunately my test network is not up so, otherwise I'd be able to test this out. Perhaps, if your situation would allow for it, the users who are not to be governed by the password policy can be put into a seperate OU. Then block policy inheritance on that OU. Wish I could test this out, it should work though, let me know.

 
Upvote 0 Downvote
Thanks. I'll look into it a bit more and give it a try!

Cheers
DTK
 
Upvote 0 Downvote
Password policy is domain-wide in active directory and will be picke up from Default Domain Policy. If you want multiple password policies you'll need multiple domains.
 
Upvote 0 Downvote
NickFerrar is exactly right. I get this question all the time, and students seem shocked at the answer all the time.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Upvote 0 Downvote
Thanks for the responses. Is there anywhere I can print off documentation that says this? I know I will need 'proof' when I go tell my boss.

Thanks.

Cheers
Dayle
 
Upvote 0 Downvote
That is a fundamental design consideration when designing or deploying active directory. Just go to Microsoft's support site and do a search. You will find more than enough proof.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Upvote 0 Downvote
It is important to understand that multiple domains does not have to mean different namespaces. For example. tek-tips.com is a domain. windows.tek-tips.com is sub or child domain of tek-tips.com. So even though it's just a sub-domain, it's still effectively and seperate domain, which will enable you to have your seperate password policies. By default you will have two-way transitive trusts between tek-tips.com and windows.tek-tips.com. Creating a completely seperate domain with a new namespace would require the set up and maintenance of external trusts.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Upvote 0 Downvote
Hello. In the documentation that I have printed from Microsoft it does not mention Password policies specifically or the fact that you cannot have multiple password policies in one domain. I have searched the web as well as the Microsoft site and can only come up with documentation that walks me through how to configure a password policy for all users in the domain.

I will keep looking, but if anyone can point me in a more specific direction it would be appreciated.

Cheers
DTK
 
Upvote 0 Downvote
Just do a search for active directory design or active directory design consideratons. Unfortunately, I don't have time presently to do the searching for you and post direct links.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Upvote 0 Downvote
Thanks for the search ideas. I did a search for Active Directory Design and found two references to password policies having to be applied on a per-domain basis. Here's the links if anyone else needs the same information:



Just do a search on each page for Password Policy.

Thanks for all the help!

Cheers
DTK
 
Upvote 0 Downvote
Glad I could help. Remember that knowing where to find information is just as important as "knowing" information in this field. No one knows everything, but a good professional should know where and how to find most things.

Good luck with your boss.

CISSP, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Solved
Not able to log into my previous account, and there's no "Forget Password"
Replies
15
Views
820
Chris Miller
Chris Miller
KenLSim
  • Locked
  • Question
Server Password Request
Replies
0
Views
50
KenLSim
KenLSim
SamBones
  • Locked
  • Question
Diceware Passwords 1
Replies
0
Views
131
SamBones
SamBones
johnherman
  • Locked
  • Helpful tip
Password strength
Replies
0
Views
33
johnherman
johnherman
Glenn9999
  • Locked
  • Question
A Password Generator - Questions
Replies
4
Views
47
Glenn9999
Glenn9999

Part and Inventory Search

Sponsor

Back
Top