deanexpert
asked on
Secondary Domain Password Policy
I need to setup vendor VPN accounts with an extended password expiration policy on our AD domain. I've come to the realization that since they don't use domain member computers, they are restricted by the domain password policy. My idea is to create and OU with a policy that changes the password policy. Create a DC in that OU so that it inherits the policy. Then, create user accounts against that DC. Think it will work?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, I don't think you can create password policies at the OU level... you configure this at the domain level... So, you woould need to create a new domain if you wanted a special password policy.
ASKER
I do know you can set a password policy at an OU level so long as the domain computer resides in that OU. That's my dilemma. Our vendors don't access our domain with domain member computers.
The settings that are recommended in this chapter are identical for both desktop and laptop client computers, and because they are special-case settings they are applied at the domain root level instead of the OU level. For example, password and account lockout policies for Windows Server 2003 and Windows 2000 Server domains must be configured through a GPO that is linked to the domain root.
source: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx
Maybe I am not understanding what you mean by pssword settings? Fo you may password settings for when they login to the domain? Is so, this is a domain-wide settings and it can't be set at an OU.
source: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx
Maybe I am not understanding what you mean by pssword settings? Fo you may password settings for when they login to the domain? Is so, this is a domain-wide settings and it can't be set at an OU.
ASKER
My goal is to have vendor user account passwords expire after 180 days as opposed to the domain policy of 60 days. The complexity is that they don't use domain member computers. I've created a policy on an OU that contains a test computer, and when I logon to the domain from that computer, it gets the 180 day policy. Is my misunderstanding that the password expiration is for the local policy? Of course it still benefits the domain member. Still thinking out loud...
To clarify what NJComputerNetworks and jessiepak have already said, your effective password policy is the one applied at the Domain level, anyway if you create a different policy at the OU level, this one will influence the LOCAL (of the machine, that is) users.
So if you say that your vendors do not use domain users, but instead local users, it will work.
>> The complexity is that they don't use domain member computers.
By the way, the computer on which they logon must of course be part of the domain.
So if you say that your vendors do not use domain users, but instead local users, it will work.
>> The complexity is that they don't use domain member computers.
By the way, the computer on which they logon must of course be part of the domain.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am able to effect the following policies with an OU GPO:
Resultant Set Of Policies for Computer:
-------------------------- ---------- ----
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 99999
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 30
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 60
Account Policies
----------------
GPO: CP-6 Month Password Expire
Policy: MinimumPasswordAge
Computer Setting: 30
GPO: CP-6 Month Password Expire
Policy: PasswordHistorySize
Computer Setting: N/A
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 99999
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 30
GPO: CP-6 Month Password Expire
Policy: MinimumPasswordLength
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: CP-6 Month Password Expire
Policy: MaximumPasswordAge
Computer Setting: 180
So what do the latter settings impact?
Resultant Set Of Policies for Computer:
--------------------------
Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 24
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 99999
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 30
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 6
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 60
Account Policies
----------------
GPO: CP-6 Month Password Expire
Policy: MinimumPasswordAge
Computer Setting: 30
GPO: CP-6 Month Password Expire
Policy: PasswordHistorySize
Computer Setting: N/A
GPO: Default Domain Policy
Policy: LockoutDuration
Computer Setting: 99999
GPO: Default Domain Policy
Policy: ResetLockoutCount
Computer Setting: 30
GPO: CP-6 Month Password Expire
Policy: MinimumPasswordLength
Computer Setting: 1
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: 3
GPO: CP-6 Month Password Expire
Policy: MaximumPasswordAge
Computer Setting: 180
So what do the latter settings impact?
latter effects nothing regarding the domain password.
ASKER
Should have read that link from elbereth21:
There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.
Thanks all for the feedback!
There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.
Thanks all for the feedback!