Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 162
  • Last Modified:

Password Policy using Group Policy (win2k)

Hi all,

I am about to implement a password policy on the root of our windows 2000 domain. The policy change will force a minimum length of 6 characters.

1) When will users that have less than 6 characters be affected?  The next time they login again after the policy is applied  OR the next time they are forced to change their password (maybe 2-3 months later).

2) Is there anyway I can stop this policy from applying to a handfull of users?

3) Will this apply to the domain administrator account?

We have many users and I just want to be prepared before implementing the new password policy across the board.

Thanks,

Dean
0
DeanUnited
Asked:
DeanUnited
  • 7
  • 4
  • 4
  • +1
1 Solution
 
Jay_Jay70Commented:
Hi DeanUnited,

password policy will take place next time they have to change their password

if you are setting this on the default domain policy (which you should be) then all users get affected and it is reccomended that you leave it this way
0
 
DeanUnitedAuthor Commented:
Thanks Jay, good to know on point 1

I'm using the default domain policy.

We don't want this to affect our domain administrator account and a few other key users accounts.

Does anyone know the answer to 2 and 3 above?

Thanks,

Dean
0
 
Jay_Jay70Commented:
than create a new policy at the root of the domain, and use security filtering to filter out the users you dont want to affect
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
mdiglioCommented:
Hello,
I don't think security filtering will work; at least it is not suppose to when it comes to password policies.
To have more than one password policy for domain users you need more than one domain.

Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx

look for "Storing Password Policy Information" to read about the need for mulitple domains
0
 
Jay_Jay70Commented:
that is more for when your trying to have multiple security policies in a domain, if you filter out a user then there is no policy being applied at all :) just my thoughts anyway
0
 
Jay_Jay70Commented:
i reiterate the point that you are not having more than one policy, only that you are filtering a user out of the ONLY password policy on the domain
0
 
mdiglioCommented:
Intersting point!
I've never tried to do that...
0
 
mdiglioCommented:
I didn't see your post when I was writing my second one
we were too close in submission time.
0
 
Jay_Jay70Commented:
tis cool :)
0
 
DeanUnitedAuthor Commented:
How can I find out about filtering a user on a security policy?

Has anyone tried applying 'deny' for this policy for the user you don't want the password policy to apply to?

Dean
0
 
jpdaveyCommented:
If the user doesn't have permissions to the policy (Deny always overrides Allow), the policy isn't applied. Just make sure you're applying user permissions to user policies and computer permissions to computer policies :)
If you MUST have this exception you should create a group and put accounts into that group then apply the Deny to the group. Hopefully, your administrator account already meets and exceeds this policy times two!

JP
0
 
Jay_Jay70Commented:
basically above is correct

here is some more details, this is what i used to learn
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
DeanUnitedAuthor Commented:
Thanks all!
0
 
DeanUnitedAuthor Commented:
ooops sorry Jay_Jay . I wanted to give you some points because your answer was useful too. Can I change it?
0
 
Jay_Jay70Commented:
if you would like to, then you can just request in community support that it be reopened for a split

Thanks mate
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now