• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 439
  • Last Modified:

Domain Policy and Locking workstations

In Windows 2003 server where do I define password length, history age, etc. Is it under Domain Controller Security Policy or Domain Security Policy and what is the difference.
Also, how in AD can I force all workstations that log in to the domain that their machine will lock after say 90 minutes of inactivity. I don't want users to be able to override this at their desktop.
0
donaljcox
Asked:
donaljcox
  • 3
  • 2
  • 2
5 Solutions
 
LauraEHunterMVPCommented:
You will define password policies at the domain level, not in the Domain Controllers OU.

You can configure workstations to lock after a period of inactivity by configuring the Administrative Templates\Control Panel\Display\Password Protect the Screen saver settings. You can prevent users from changing this by also enabling the Administrative Templates\Control Panel\Display\Hide Screen Saver Tab setting.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
Michael PfisterCommented:
"Domain Controller Security Policy" applies to your domain controllers
"Domain Security Policy" applies to your workstations and member servers, NOT the domain controllers

You need to create a policy and set

User -> Administrative Templates -> Control Panel -> Display

Set "Screen Saver" to enabled
Set "Screen Saver executable name" to i.e. logon.scr
Set "Password protect screen saver" to enabled
Set "Screen saver timeout" to 5400

If you like, also enable "Hide screen saver tab" to prevent users from changing this setting (anyway when the GPO is applied, it will be set again).

Hope it helps,

Michael




0
 
Michael PfisterCommented:
2l8 :-)
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
donaljcoxAuthor Commented:
ok but I dont want to go around each machine to do this. I do this centrally and which mmc to I run ?
0
 
LauraEHunterMVPCommented:
The point of Group Policy is that you configure the setting once in a GPO, then link that GPO to the OU containing your workstations.

Use the Group Policy Management Console (GPMC) from a DC or your administrative workstation to create and link the GPO; simply right-click on the OU containing your workstations and select "Create and link a new GPO here."

If you do not have the GPMC installed, it is a free download available here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887

To configure a password policy, right-click on your Default Domain Policy and click "Edit."  (You can configure the screensaver settings in that GPO as well, but then they will apply to every single workstation and server in your whole environment which may not be what you want.)
0
 
donaljcoxAuthor Commented:
I have tired ot link a policy to the OU for the screen saver lockdown but this does not work I have even rebooted machine. I can see that policy is linked to OU. Is there sth I need to do so that the policy is applied ?
0
 
LauraEHunterMVPCommented:
Are the user accounts contained in the OU that you've linked the GPO to as well?

You can use the Resultant Set of Policy wizard in the GPMC to get a report of which GPOs are being applied to a particular user/computer combination, and if there are any GPOs that are not being applied for any reason. The following tutorial will walk you through RSoP if you're unfamiliar with it: http://www.windowsecurity.com/articles/Generating-Resultant-Set-Policy-Queries.html
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now