athanasius296
asked on
How to prevent a global password policy applying to a Local Account?
Hi!
I think it's a though case, hence 500 points!
I have W2K computer joining Win Active Directory. Global policy on the Domain is set to be at least 6 char, Local policy is set to 0, and in effect it's 6 char.
Now, I have a software which REQUIRES to have a very specific 3-char password on one LOCAL User Account.
How to work around, so the Domain policy is untouched, and Local Account can have 3-char password?
I have full admin rights to the local computer, but the machine has to stay on the network joining Domain.
Thanks!
I think it's a though case, hence 500 points!
I have W2K computer joining Win Active Directory. Global policy on the Domain is set to be at least 6 char, Local policy is set to 0, and in effect it's 6 char.
Now, I have a software which REQUIRES to have a very specific 3-char password on one LOCAL User Account.
How to work around, so the Domain policy is untouched, and Local Account can have 3-char password?
I have full admin rights to the local computer, but the machine has to stay on the network joining Domain.
Thanks!
Since it's a local account, you can do it. Put the machine into its own OU, and change the password policy for that OU. This will only influence local accounts on the machine(s) in this OU.
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
a simple work around would be to create a new OU for that computer and any others that need this part of the group polices changed. Then create a different GP for these boxes.
If you are not a domain admin try this:
Correct me if I am wrong but I thought local policies were the last to be applied. So if you specify on that machines local policy account that it also has a password policy of 3 min then this should also fix the problem by overwriting the GP.
If you are not a domain admin try this:
Correct me if I am wrong but I thought local policies were the last to be applied. So if you specify on that machines local policy account that it also has a password policy of 3 min then this should also fix the problem by overwriting the GP.
sorry must have been typing when oBdA put answer in....
Local Policies are the first to be applied; the sequence is LSDO: Local, Site, Domain, Organizational Units.
There'd basically be no point in policies if every local admin could just block or overwrite them ...
There'd basically be no point in policies if every local admin could just block or overwrite them ...
ASKER
Thanks for your fast response.
oBdA says: "Simple work around would be to create a new OU for that computer" - well, what if I don't have admin rights to that level of the Domain. I'm admin on the local wkstn, and can join/disjoing wkstn from the Domain.
What other options do I have?
oBdA says: "Simple work around would be to create a new OU for that computer" - well, what if I don't have admin rights to that level of the Domain. I'm admin on the local wkstn, and can join/disjoing wkstn from the Domain.
What other options do I have?
Can you create GPOs and groups for the OU the machine is in? If so, you can create a new GPO with the password policy settings, and use security group filtering to only apply it to that machine.
If not, you can still ask the OU admin to do that for you.
If this doesn't work, either, your only choice is probably to unjoin the machine from the domain, create the account with the password, then join it back to the domain. The password isn't checked during use, only when it's created.
If not, you can still ask the OU admin to do that for you.
If this doesn't work, either, your only choice is probably to unjoin the machine from the domain, create the account with the password, then join it back to the domain. The password isn't checked during use, only when it's created.
ASKER
Hi iBdA,
I like your suggestion:
"your only choice is probably to unjoin the machine from the domain, create the account with the password, then join it back to the domain. The password isn't checked during use, only when it's created."
BUT if I'm asked by the program I mentioned before to change the password, I can't reapply 3-char password, and have to use a Global 6-char.
So, the solution would be only temporary.
I like your suggestion:
"your only choice is probably to unjoin the machine from the domain, create the account with the password, then join it back to the domain. The password isn't checked during use, only when it's created."
BUT if I'm asked by the program I mentioned before to change the password, I can't reapply 3-char password, and have to use a Global 6-char.
So, the solution would be only temporary.
ASKER
Hi!
I didn't get a satisfying answer to solve my problem, but I found elsewhere a perfect solution, which I'm posting here:
To reset the local security settings on the computer, type in a command prompt exactly:
secedit /configure /cfg %windir%\repair\secsetup.i
Thanks all for your comments and support!
I didn't get a satisfying answer to solve my problem, but I found elsewhere a perfect solution, which I'm posting here:
To reset the local security settings on the computer, type in a command prompt exactly:
secedit /configure /cfg %windir%\repair\secsetup.i
Thanks all for your comments and support!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheers,
Rajesh