dqnet
asked on
Policy and blocking inheritance.
Hi Peeps,
I dont think this a tough one but just wanted to get a confirmation from the experts.
Basically I have a bunch of OU's and I want to set a domain policy to enforce passwords to be a certain character length.
However, I do not want to affect of of the OU's which is the server logins. I need them to be unaffected by the domain level policy.
I thought it was as simple as blocking policy inheritance on that specific OU but from reading certain things here, that is not the case.
How can I apply a domain level policy to all users, (Marketing OU, Finance OU, Developers OU, etc etc) without affecting the Servers login usernames OU.
Thanks folks,
Raf
I dont think this a tough one but just wanted to get a confirmation from the experts.
Basically I have a bunch of OU's and I want to set a domain policy to enforce passwords to be a certain character length.
However, I do not want to affect of of the OU's which is the server logins. I need them to be unaffected by the domain level policy.
I thought it was as simple as blocking policy inheritance on that specific OU but from reading certain things here, that is not the case.
How can I apply a domain level policy to all users, (Marketing OU, Finance OU, Developers OU, etc etc) without affecting the Servers login usernames OU.
Thanks folks,
Raf
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hmmm...was late posting that one, as usual ;o) Jay and oBdA, your'e definitely too fast for me ;o)
:-) just got lucky, spammed my keyboard and something legible came forth ;-)
ASKER
Hey Jay Jay!
How ya doing pal?
Ok, what about this... Would it be possible to implement a domain wide policy but to set the accounts / usernames in which I dont want there password to expire in 30 days as 'Password never expires'.
That way, whatever the password is now, it will never ask me to change it for it to even meet the 15 character complexity rule?
How ya doing pal?
Ok, what about this... Would it be possible to implement a domain wide policy but to set the accounts / usernames in which I dont want there password to expire in 30 days as 'Password never expires'.
That way, whatever the password is now, it will never ask me to change it for it to even meet the 15 character complexity rule?
Yes, that would work.
I like that comment Jay_Jay70 :D
Looks like dqnet is thinking outside the box ;)
Cheers
kshays
Looks like dqnet is thinking outside the box ;)
Cheers
kshays
ASKER
Hahaha :)
Ok so one thing, when I go to change the passwords for the servers logins myself, the domain wide rule will apply then yea?
Like I will have to follow the same rules and regulations as I set for the domain (including all the other OU's)
Correct?
Thanks folks...!
Ok so one thing, when I go to change the passwords for the servers logins myself, the domain wide rule will apply then yea?
Like I will have to follow the same rules and regulations as I set for the domain (including all the other OU's)
Correct?
Thanks folks...!
Exactly. Unless you disable the password policy while changing the passwords ...
hey mate how are ya :) sorry for late response, i was in Bed :-P!
looks like you have been looked after though :) can i ask why you want to exclude users from a strong password policy?
looks like you have been looked after though :) can i ask why you want to exclude users from a strong password policy?
I agree with Jay here, the more complex and longer the password is the better. Of course trying to get this implemented to the staff and management is a pain though. They just don't quite get why my domain admin password is complex with a couple of phrases and between 25-40 characters long. They believe password should = username1 or username2
DOH!!!!
I tell you there is not a day goes by that I don't get a good laugh :)
kshays
PS: Not saying you were trying to influence the auther into weak paswords oBdA :)
DOH!!!!
I tell you there is not a day goes by that I don't get a good laugh :)
kshays
PS: Not saying you were trying to influence the auther into weak paswords oBdA :)
ASKER
Ahh! Excellent! Simply excellent.. I'll disable it when I come to change the server passwords.
Hahahahah! :)
Well the good news is I got them to follow the policy regardless. They have no choice now! >:)
However, Its the Server Logins that I cant keep changing, I have like 5-10 logins and to set a 15 character password for each of them that meets complexity requirements is putting a bit of strain on what needs to be remembered. I set all of them to STRONG passwords, nobody knows them and I just thought keeping them at that would be sufficient?
Hahahahah! :)
Well the good news is I got them to follow the policy regardless. They have no choice now! >:)
However, Its the Server Logins that I cant keep changing, I have like 5-10 logins and to set a 15 character password for each of them that meets complexity requirements is putting a bit of strain on what needs to be remembered. I set all of them to STRONG passwords, nobody knows them and I just thought keeping them at that would be sufficient?
i see what you mean and can understand it, that is your perogative if you want to keep it like that :)
ASKER
Well guys!
Thank you all for your help.
I didnt know exactly who to assign the points to as you've all been helpfull.
I simply bumped the points to 200 and divded it between you guys.
Thanks again folks!!
Thank you all for your help.
I didnt know exactly who to assign the points to as you've all been helpfull.
I simply bumped the points to 200 and divded it between you guys.
Thanks again folks!!
thankyou
Did you just block inheritance, or did you explicitly deny the policy on the OU ?
Cheers