Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password Policy 1

Status
Not open for further replies.
acl03

acl03

MIS
Jun 13, 2005
1,077
US
Why is password policy in Computer Config and not User Config?

Do I actually apply password policies to computer accounts?

What's the best way to apply a password policy to a specific group of people?



Thanks,
Andrew
 
Sort by date Sort by votes
Password policy can only be set at the domain level and applies to all user objects, it cannot be set on a specific group of users i'm afraid.
 
Upvote 0 Downvote
That seems weird that it cant be changed by OU. Why is it not in the User portion of the GPO? Isn't a password a property of a user account?



Thanks,
Andrew
 
Upvote 0 Downvote
you wouldn't want to set those type of password policies on a user by user basis. Those type of policies are set for the whole domain. i.e, maximum failed logins, lockout duration, etc.

These are the type of policies for everyone logging into the domain and not specific accounts logging into the domain.
 
Upvote 0 Downvote
Well we have a general ou with our users in it, but there are some accounts that we don't want these password policies applied to.



Thanks,
Andrew
 
Upvote 0 Downvote
I'm afraid that's the way it is with Active Directory, you can only set up password/account policies at the domain level. It's a grievance I have with AD to be honest as I, occasionally, would like to be able to have different password policies for different users.

Teknoratti, you are correct when you say that you would not want to set password policies on a user by user basis but the ability to do this on an OU would be good.

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain
 
Upvote 0 Downvote
I agree i've often wanted to apply stricter settings to a particular OU but it's just not possible, it's rumored to be a feature that will be included in Longhorn server but I'm not certain.
 
Upvote 0 Downvote
Andrew it seems you are ignoring what is being told to you here.

Password policies can only be set at the domain level. You can only have ONE password policy. Whether it is in the Computer or user portion of the GPO is irrelevent. You cannot do what you are looking to do with Windows 2003.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Mark - I wasn't ignoring it, i understand that what i want to do isn't possible.

I was just curious why the setting was in the computer portion, that's all.



Thanks,
Andrew
 
Upvote 0 Downvote
The reason it is in the Computer Policy is because the computer needs to block users from logging in if they don't satisfy the password requirements. In order for a user policy to take affect, the user must login.

If a user is required to change password at next login and chooses to cancel doing so, the computer will not let them log in. Were this in a user policy they would ALREADY be logged in, creating a security issue.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote

Mark, I don't suppose you've heard if the ability to set password policies at an OU level will be available in Longhorn??


Paul

MCSE 2003

"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein
 
Upvote 0 Downvote
In beta 3 the plan is to introduce multiple passwords policies. These can be linked to individual users or security groups but currently are not planned to support OUs.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Thanks Mark


Paul

MCSE 2003

"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein
 
Upvote 0 Downvote
Here is an update on this:

Password policies (account lockout and password specific settings like complexity) currently work at domain as well as OU level in LH build 6001. The setting is computer specific, so it relies on security filtering in the computer context and the link to the OU.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
What about using a custom PASSFILT.DLL?

There are a couple of companies selling these - just do a search. I have been thinking about implementing one of these but have not gone back to do any real research on them yet.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
276
strongm
strongm
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
299
penguinroundup
penguinroundup
TECHMAN007
  • Locked
  • Question
RD Web Password Change
Replies
0
Views
209
TECHMAN007
TECHMAN007
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
393
rrmcguire
rrmcguire
RdFromK
  • Locked
  • Question
GroupPolicy error 1065 with Windows SBS CSE Policy
Replies
2
Views
406
RdFromK
RdFromK

Part and Inventory Search

Sponsor

Back
Top