Solved

Domain Policy and Locking workstations

Posted on 2007-04-10
7
427 Views
Last Modified: 2008-02-20
In Windows 2003 server where do I define password length, history age, etc. Is it under Domain Controller Security Policy or Domain Security Policy and what is the difference.
Also, how in AD can I force all workstations that log in to the domain that their machine will lock after say 90 minutes of inactivity. I don't want users to be able to override this at their desktop.
0
Comment
Question by:donaljcox
  • 3
  • 2
  • 2
7 Comments
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 65 total points
Comment Utility
You will define password policies at the domain level, not in the Domain Controllers OU.

You can configure workstations to lock after a period of inactivity by configuring the Administrative Templates\Control Panel\Display\Password Protect the Screen saver settings. You can prevent users from changing this by also enabling the Administrative Templates\Control Panel\Display\Hide Screen Saver Tab setting.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 60 total points
Comment Utility
"Domain Controller Security Policy" applies to your domain controllers
"Domain Security Policy" applies to your workstations and member servers, NOT the domain controllers

You need to create a policy and set

User -> Administrative Templates -> Control Panel -> Display

Set "Screen Saver" to enabled
Set "Screen Saver executable name" to i.e. logon.scr
Set "Password protect screen saver" to enabled
Set "Screen saver timeout" to 5400

If you like, also enable "Hide screen saver tab" to prevent users from changing this setting (anyway when the GPO is applied, it will be set again).

Hope it helps,

Michael




0
 
LVL 28

Assisted Solution

by:Michael Pfister
Michael Pfister earned 60 total points
Comment Utility
2l8 :-)
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:donaljcox
Comment Utility
ok but I dont want to go around each machine to do this. I do this centrally and which mmc to I run ?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 65 total points
Comment Utility
The point of Group Policy is that you configure the setting once in a GPO, then link that GPO to the OU containing your workstations.

Use the Group Policy Management Console (GPMC) from a DC or your administrative workstation to create and link the GPO; simply right-click on the OU containing your workstations and select "Create and link a new GPO here."

If you do not have the GPMC installed, it is a free download available here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887

To configure a password policy, right-click on your Default Domain Policy and click "Edit."  (You can configure the screensaver settings in that GPO as well, but then they will apply to every single workstation and server in your whole environment which may not be what you want.)
0
 

Author Comment

by:donaljcox
Comment Utility
I have tired ot link a policy to the OU for the screen saver lockdown but this does not work I have even rebooted machine. I can see that policy is linked to OU. Is there sth I need to do so that the policy is applied ?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 65 total points
Comment Utility
Are the user accounts contained in the OU that you've linked the GPO to as well?

You can use the Resultant Set of Policy wizard in the GPMC to get a report of which GPOs are being applied to a particular user/computer combination, and if there are any GPOs that are not being applied for any reason. The following tutorial will walk you through RSoP if you're unfamiliar with it: http://www.windowsecurity.com/articles/Generating-Resultant-Set-Policy-Queries.html
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now