Link to home
Start Free TrialLog in
Avatar of deanexpert
deanexpert

asked on

Secondary Domain Password Policy

I need to setup vendor VPN accounts with an extended password expiration policy on our AD domain.  I've come to the realization that since they don't use domain member computers, they are restricted by the domain password policy.  My idea is to create and OU with a policy that changes the password policy.  Create a DC in that OU so that it inherits the policy.  Then, create user accounts against that DC.  Think it will work?
SOLUTION
Avatar of Jessie Gill, CISSP
Jessie Gill, CISSP
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image
No, I don't think you can create password policies at the OU level... you configure this at the domain level...  So, you woould need to create a new domain if you wanted a special password policy.
Avatar of deanexpert
deanexpert

ASKER

I do know you can set a password policy at an OU level so long as the domain computer resides in that OU.  That's my dilemma.  Our vendors don't access our domain with domain member computers.
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image
The settings that are recommended in this chapter are identical for both desktop and laptop client computers, and because they are special-case settings they are applied at the domain root level instead of the OU level. For example, password and account lockout policies for Windows Server 2003 and Windows 2000 Server domains must be configured through a GPO that is linked to the domain root.

source: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx

Maybe I am not understanding what you mean by pssword settings?  Fo you may password settings for when they login to the domain?  Is so, this is a domain-wide settings and it can't be set at an OU.
Avatar of deanexpert
deanexpert

ASKER

My goal is to have vendor user account passwords expire after 180 days as opposed to the domain policy of 60 days.  The complexity is that they don't use domain member computers.  I've created a policy on an OU that contains a test computer, and when I logon to the domain from that computer, it gets the 180 day policy.  Is my misunderstanding that the password expiration is for the local policy?  Of course it still benefits the domain member.  Still thinking out loud...
Avatar of elbereth21
elbereth21
Flag of Italy image
To clarify what NJComputerNetworks and jessiepak have already said, your effective password policy is the one applied at the Domain level, anyway if you create a different policy at the OU level, this one will influence the LOCAL (of the machine, that is) users.
So if you say that your vendors do not use domain users, but instead local users, it will work.

>> The complexity is that they don't use domain member computers.
By the way, the computer on which they logon must of course be part of the domain.
SOLUTION
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of elbereth21
elbereth21
Flag of Italy image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of deanexpert
deanexpert

ASKER

I am able to effect the following policies with an OU GPO:

Resultant Set Of Policies for Computer:
----------------------------------------
Account Policies
----------------
    GPO: Default Domain Policy
        Policy:            MinimumPasswordAge
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            PasswordHistorySize
        Computer Setting:  24
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: Default Domain Policy
        Policy:            MinimumPasswordLength
        Computer Setting:  6
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: Default Domain Policy
        Policy:            MaximumPasswordAge
        Computer Setting:  60

Account Policies
----------------
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordAge
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            PasswordHistorySize
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordLength
        Computer Setting:  1
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: CP-6 Month Password Expire
        Policy:            MaximumPasswordAge
        Computer Setting:  180

So what do the latter settings impact?
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image
latter effects nothing regarding the domain password.
Avatar of deanexpert
deanexpert

ASKER

Should have read that link from elbereth21:

There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.

Thanks all for the feedback!