Solved

How to setup a shorter password expiration policy for a certain group of users.

Posted on 2006-11-01
14
298 Views
Last Modified: 2010-08-05
We have a group of users (actually 2) that need to have shorter password expiration than the rest of our normal users. How do you set something like this up?

Example:

1. All domain users passwords expire every 30 days
2. Need to maintain the above policy and have a policy for a certain group of users that forces a change every 15 days.
0
Comment
Question by:amenoss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17849510
Set up a new Group Policy, and add only the users/computers the user uses that you want the policy to apply to.

Edit the policy, then go to:

Computer Configuration -> Windows Settings -> Security Settings -> Password Policy

And define the maximum password age for them there.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17849577
You can't IMHO for domain accounts.  It is a domain wide, if you want different password policies you need multiple domains or third party tools:

http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp

Steve
0
 

Author Comment

by:amenoss
ID: 17849972
Adam, I guess thats where im confused Im not sure how to setup a another group policy for a domain.....I was hoping there was a way other than dragon (thanks for the link!) had provided that I just wasnt aware of...
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 17850010
F
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17850015
?

Just open your Group Policy MMC, Right-Click on the Domain, and Create and Link a GPO.

Make sure your GPO takes precedence in the inheritance chain for the users.  

0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17850026
Dragon,

F  ???
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17850031
Oops, that wasn;t the start  of something dodgy, was trying to say:

For domain accounts they use the policy assigned to the domain controllers and there can only be one.  Setting policies for computers if anythign will set their local account policies for local accounts.
0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17850048
Dragon,

You sure about that?  Not saying you are incorrect, but I vaguely recall having done this before and having it work properly.  Perhaps I'm suffering from a case of bad memory.  Will run a test here in a bit and see.

0
 
LVL 16

Expert Comment

by:AdamRobinson
ID: 17850069
You are correct, Dragon.

Please disregard my previous comments, Amenoss, they are in error.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17850081
Yes, you aren't logging into your own machine local a/c, you are logging 'into' a DC so it is the DC's account policy that takes.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17850098
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 50 total points
ID: 17850110
So sorry, the answer is thrid party s/w, a new domain, or local login a/cs.
0
 

Author Comment

by:amenoss
ID: 17850124
Dragon thanks for the clarification and the link...
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17850171
No problem, it's a pain but its how it is!
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question