Secondary Domain Password Policy

I need to setup vendor VPN accounts with an extended password expiration policy on our AD domain.  I've come to the realization that since they don't use domain member computers, they are restricted by the domain password policy.  My idea is to create and OU with a policy that changes the password policy.  Create a DC in that OU so that it inherits the policy.  Then, create user accounts against that DC.  Think it will work?
deanexpertAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jessie Gill, CISSPTechnical ArchitectCommented:
You can only have one password (Account) policy in one domain, You will not be able to set 2 different password (Account) policies in the same domain,the only way to do this is to create another domain with the different password policy. In windows 2003 each domain is a security boundary that can only have one password policy eg. account lockout, complexity etc.  By creating an OU and putting the dc in it and setting a password policy to that OU in the existing domain will not work also. The password policy must be set at the domain level in the domain.

So all in all nope I don't think it will work
sorry
NJComputerNetworksCommented:
No, I don't think you can create password policies at the OU level... you configure this at the domain level...  So, you woould need to create a new domain if you wanted a special password policy.
deanexpertAuthor Commented:
I do know you can set a password policy at an OU level so long as the domain computer resides in that OU.  That's my dilemma.  Our vendors don't access our domain with domain member computers.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

NJComputerNetworksCommented:
The settings that are recommended in this chapter are identical for both desktop and laptop client computers, and because they are special-case settings they are applied at the domain root level instead of the OU level. For example, password and account lockout policies for Windows Server 2003 and Windows 2000 Server domains must be configured through a GPO that is linked to the domain root.

source: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx

Maybe I am not understanding what you mean by pssword settings?  Fo you may password settings for when they login to the domain?  Is so, this is a domain-wide settings and it can't be set at an OU.
deanexpertAuthor Commented:
My goal is to have vendor user account passwords expire after 180 days as opposed to the domain policy of 60 days.  The complexity is that they don't use domain member computers.  I've created a policy on an OU that contains a test computer, and when I logon to the domain from that computer, it gets the 180 day policy.  Is my misunderstanding that the password expiration is for the local policy?  Of course it still benefits the domain member.  Still thinking out loud...
elbereth21Commented:
To clarify what NJComputerNetworks and jessiepak have already said, your effective password policy is the one applied at the Domain level, anyway if you create a different policy at the OU level, this one will influence the LOCAL (of the machine, that is) users.
So if you say that your vendors do not use domain users, but instead local users, it will work.

>> The complexity is that they don't use domain member computers.
By the way, the computer on which they logon must of course be part of the domain.
NJComputerNetworksCommented:
You can not create custom password policies.  There is only one password policy per domain...  So if you users and vendors are logging into the same domain, they will have to use the same password policy.  There is no way around this.  Note: I am referring to when users login to the DOMAIN (not the local workstation).
elbereth21Commented:
Another possible link specifically dedicated to account policies:
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch02n.mspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
deanexpertAuthor Commented:
I am able to effect the following policies with an OU GPO:

Resultant Set Of Policies for Computer:
----------------------------------------
Account Policies
----------------
    GPO: Default Domain Policy
        Policy:            MinimumPasswordAge
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            PasswordHistorySize
        Computer Setting:  24
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: Default Domain Policy
        Policy:            MinimumPasswordLength
        Computer Setting:  6
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: Default Domain Policy
        Policy:            MaximumPasswordAge
        Computer Setting:  60

Account Policies
----------------
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordAge
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            PasswordHistorySize
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordLength
        Computer Setting:  1
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: CP-6 Month Password Expire
        Policy:            MaximumPasswordAge
        Computer Setting:  180

So what do the latter settings impact?
NJComputerNetworksCommented:
latter effects nothing regarding the domain password.
deanexpertAuthor Commented:
Should have read that link from elbereth21:

There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.

Thanks all for the feedback!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.