Secondary Domain Password Policy

I need to setup vendor VPN accounts with an extended password expiration policy on our AD domain.  I've come to the realization that since they don't use domain member computers, they are restricted by the domain password policy.  My idea is to create and OU with a policy that changes the password policy.  Create a DC in that OU so that it inherits the policy.  Then, create user accounts against that DC.  Think it will work?
deanexpertAsked:
Who is Participating?
 
elbereth21Commented:
Another possible link specifically dedicated to account policies:
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch02n.mspx
0
 
Jessie Gill, CISSPTechnical ArchitectCommented:
You can only have one password (Account) policy in one domain, You will not be able to set 2 different password (Account) policies in the same domain,the only way to do this is to create another domain with the different password policy. In windows 2003 each domain is a security boundary that can only have one password policy eg. account lockout, complexity etc.  By creating an OU and putting the dc in it and setting a password policy to that OU in the existing domain will not work also. The password policy must be set at the domain level in the domain.

So all in all nope I don't think it will work
sorry
0
 
NJComputerNetworksCommented:
No, I don't think you can create password policies at the OU level... you configure this at the domain level...  So, you woould need to create a new domain if you wanted a special password policy.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
deanexpertAuthor Commented:
I do know you can set a password policy at an OU level so long as the domain computer resides in that OU.  That's my dilemma.  Our vendors don't access our domain with domain member computers.
0
 
NJComputerNetworksCommented:
The settings that are recommended in this chapter are identical for both desktop and laptop client computers, and because they are special-case settings they are applied at the domain root level instead of the OU level. For example, password and account lockout policies for Windows Server 2003 and Windows 2000 Server domains must be configured through a GPO that is linked to the domain root.

source: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx

Maybe I am not understanding what you mean by pssword settings?  Fo you may password settings for when they login to the domain?  Is so, this is a domain-wide settings and it can't be set at an OU.
0
 
deanexpertAuthor Commented:
My goal is to have vendor user account passwords expire after 180 days as opposed to the domain policy of 60 days.  The complexity is that they don't use domain member computers.  I've created a policy on an OU that contains a test computer, and when I logon to the domain from that computer, it gets the 180 day policy.  Is my misunderstanding that the password expiration is for the local policy?  Of course it still benefits the domain member.  Still thinking out loud...
0
 
elbereth21Commented:
To clarify what NJComputerNetworks and jessiepak have already said, your effective password policy is the one applied at the Domain level, anyway if you create a different policy at the OU level, this one will influence the LOCAL (of the machine, that is) users.
So if you say that your vendors do not use domain users, but instead local users, it will work.

>> The complexity is that they don't use domain member computers.
By the way, the computer on which they logon must of course be part of the domain.
0
 
NJComputerNetworksCommented:
You can not create custom password policies.  There is only one password policy per domain...  So if you users and vendors are logging into the same domain, they will have to use the same password policy.  There is no way around this.  Note: I am referring to when users login to the DOMAIN (not the local workstation).
0
 
deanexpertAuthor Commented:
I am able to effect the following policies with an OU GPO:

Resultant Set Of Policies for Computer:
----------------------------------------
Account Policies
----------------
    GPO: Default Domain Policy
        Policy:            MinimumPasswordAge
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            PasswordHistorySize
        Computer Setting:  24
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: Default Domain Policy
        Policy:            MinimumPasswordLength
        Computer Setting:  6
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: Default Domain Policy
        Policy:            MaximumPasswordAge
        Computer Setting:  60

Account Policies
----------------
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordAge
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            PasswordHistorySize
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordLength
        Computer Setting:  1
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: CP-6 Month Password Expire
        Policy:            MaximumPasswordAge
        Computer Setting:  180

So what do the latter settings impact?
0
 
NJComputerNetworksCommented:
latter effects nothing regarding the domain password.
0
 
deanexpertAuthor Commented:
Should have read that link from elbereth21:

There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.

Thanks all for the feedback!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.