?
Solved

Secondary Domain Password Policy

Posted on 2006-03-29
11
Medium Priority
?
489 Views
Last Modified: 2012-06-21
I need to setup vendor VPN accounts with an extended password expiration policy on our AD domain.  I've come to the realization that since they don't use domain member computers, they are restricted by the domain password policy.  My idea is to create and OU with a policy that changes the password policy.  Create a DC in that OU so that it inherits the policy.  Then, create user accounts against that DC.  Think it will work?
0
Comment
Question by:deanexpert
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 600 total points
ID: 16323395
You can only have one password (Account) policy in one domain, You will not be able to set 2 different password (Account) policies in the same domain,the only way to do this is to create another domain with the different password policy. In windows 2003 each domain is a security boundary that can only have one password policy eg. account lockout, complexity etc.  By creating an OU and putting the dc in it and setting a password policy to that OU in the existing domain will not work also. The password policy must be set at the domain level in the domain.

So all in all nope I don't think it will work
sorry
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16323396
No, I don't think you can create password policies at the OU level... you configure this at the domain level...  So, you woould need to create a new domain if you wanted a special password policy.
0
 

Author Comment

by:deanexpert
ID: 16323464
I do know you can set a password policy at an OU level so long as the domain computer resides in that OU.  That's my dilemma.  Our vendors don't access our domain with domain member computers.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16323538
The settings that are recommended in this chapter are identical for both desktop and laptop client computers, and because they are special-case settings they are applied at the domain root level instead of the OU level. For example, password and account lockout policies for Windows Server 2003 and Windows 2000 Server domains must be configured through a GPO that is linked to the domain root.

source: http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch02.mspx

Maybe I am not understanding what you mean by pssword settings?  Fo you may password settings for when they login to the domain?  Is so, this is a domain-wide settings and it can't be set at an OU.
0
 

Author Comment

by:deanexpert
ID: 16323652
My goal is to have vendor user account passwords expire after 180 days as opposed to the domain policy of 60 days.  The complexity is that they don't use domain member computers.  I've created a policy on an OU that contains a test computer, and when I logon to the domain from that computer, it gets the 180 day policy.  Is my misunderstanding that the password expiration is for the local policy?  Of course it still benefits the domain member.  Still thinking out loud...
0
 
LVL 11

Expert Comment

by:elbereth21
ID: 16323788
To clarify what NJComputerNetworks and jessiepak have already said, your effective password policy is the one applied at the Domain level, anyway if you create a different policy at the OU level, this one will influence the LOCAL (of the machine, that is) users.
So if you say that your vendors do not use domain users, but instead local users, it will work.

>> The complexity is that they don't use domain member computers.
By the way, the computer on which they logon must of course be part of the domain.
0
 
LVL 33

Assisted Solution

by:NJComputerNetworks
NJComputerNetworks earned 600 total points
ID: 16323811
You can not create custom password policies.  There is only one password policy per domain...  So if you users and vendors are logging into the same domain, they will have to use the same password policy.  There is no way around this.  Note: I am referring to when users login to the DOMAIN (not the local workstation).
0
 
LVL 11

Accepted Solution

by:
elbereth21 earned 800 total points
ID: 16323851
Another possible link specifically dedicated to account policies:
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch02n.mspx
0
 

Author Comment

by:deanexpert
ID: 16324724
I am able to effect the following policies with an OU GPO:

Resultant Set Of Policies for Computer:
----------------------------------------
Account Policies
----------------
    GPO: Default Domain Policy
        Policy:            MinimumPasswordAge
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            PasswordHistorySize
        Computer Setting:  24
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: Default Domain Policy
        Policy:            MinimumPasswordLength
        Computer Setting:  6
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: Default Domain Policy
        Policy:            MaximumPasswordAge
        Computer Setting:  60

Account Policies
----------------
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordAge
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            PasswordHistorySize
        Computer Setting:  N/A
    GPO: Default Domain Policy
        Policy:            LockoutDuration
        Computer Setting:  99999
    GPO: Default Domain Policy
        Policy:            ResetLockoutCount
        Computer Setting:  30
    GPO: CP-6 Month Password Expire
        Policy:            MinimumPasswordLength
        Computer Setting:  1
    GPO: Default Domain Policy
        Policy:            LockoutBadCount
        Computer Setting:  3
    GPO: CP-6 Month Password Expire
        Policy:            MaximumPasswordAge
        Computer Setting:  180

So what do the latter settings impact?
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16324767
latter effects nothing regarding the domain password.
0
 

Author Comment

by:deanexpert
ID: 16324874
Should have read that link from elbereth21:

There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.

Thanks all for the feedback!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question