Domain Policy and Locking workstations

In Windows 2003 server where do I define password length, history age, etc. Is it under Domain Controller Security Policy or Domain Security Policy and what is the difference.
Also, how in AD can I force all workstations that log in to the domain that their machine will lock after say 90 minutes of inactivity. I don't want users to be able to override this at their desktop.
donaljcoxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LauraEHunterMVPCommented:
You will define password policies at the domain level, not in the Domain Controllers OU.

You can configure workstations to lock after a period of inactivity by configuring the Administrative Templates\Control Panel\Display\Password Protect the Screen saver settings. You can prevent users from changing this by also enabling the Administrative Templates\Control Panel\Display\Hide Screen Saver Tab setting.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
Michael PfisterCommented:
"Domain Controller Security Policy" applies to your domain controllers
"Domain Security Policy" applies to your workstations and member servers, NOT the domain controllers

You need to create a policy and set

User -> Administrative Templates -> Control Panel -> Display

Set "Screen Saver" to enabled
Set "Screen Saver executable name" to i.e. logon.scr
Set "Password protect screen saver" to enabled
Set "Screen saver timeout" to 5400

If you like, also enable "Hide screen saver tab" to prevent users from changing this setting (anyway when the GPO is applied, it will be set again).

Hope it helps,

Michael




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael PfisterCommented:
2l8 :-)
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

donaljcoxAuthor Commented:
ok but I dont want to go around each machine to do this. I do this centrally and which mmc to I run ?
0
LauraEHunterMVPCommented:
The point of Group Policy is that you configure the setting once in a GPO, then link that GPO to the OU containing your workstations.

Use the Group Policy Management Console (GPMC) from a DC or your administrative workstation to create and link the GPO; simply right-click on the OU containing your workstations and select "Create and link a new GPO here."

If you do not have the GPMC installed, it is a free download available here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887

To configure a password policy, right-click on your Default Domain Policy and click "Edit."  (You can configure the screensaver settings in that GPO as well, but then they will apply to every single workstation and server in your whole environment which may not be what you want.)
0
donaljcoxAuthor Commented:
I have tired ot link a policy to the OU for the screen saver lockdown but this does not work I have even rebooted machine. I can see that policy is linked to OU. Is there sth I need to do so that the policy is applied ?
0
LauraEHunterMVPCommented:
Are the user accounts contained in the OU that you've linked the GPO to as well?

You can use the Resultant Set of Policy wizard in the GPMC to get a report of which GPOs are being applied to a particular user/computer combination, and if there are any GPOs that are not being applied for any reason. The following tutorial will walk you through RSoP if you're unfamiliar with it: http://www.windowsecurity.com/articles/Generating-Resultant-Set-Policy-Queries.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.