Solved

Domain Policy and Locking workstations

Posted on 2007-04-10
7
429 Views
Last Modified: 2008-02-20
In Windows 2003 server where do I define password length, history age, etc. Is it under Domain Controller Security Policy or Domain Security Policy and what is the difference.
Also, how in AD can I force all workstations that log in to the domain that their machine will lock after say 90 minutes of inactivity. I don't want users to be able to override this at their desktop.
0
Comment
Question by:donaljcox
  • 3
  • 2
  • 2
7 Comments
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 65 total points
ID: 18882478
You will define password policies at the domain level, not in the Domain Controllers OU.

You can configure workstations to lock after a period of inactivity by configuring the Administrative Templates\Control Panel\Display\Password Protect the Screen saver settings. You can prevent users from changing this by also enabling the Administrative Templates\Control Panel\Display\Hide Screen Saver Tab setting.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 60 total points
ID: 18882520
"Domain Controller Security Policy" applies to your domain controllers
"Domain Security Policy" applies to your workstations and member servers, NOT the domain controllers

You need to create a policy and set

User -> Administrative Templates -> Control Panel -> Display

Set "Screen Saver" to enabled
Set "Screen Saver executable name" to i.e. logon.scr
Set "Password protect screen saver" to enabled
Set "Screen saver timeout" to 5400

If you like, also enable "Hide screen saver tab" to prevent users from changing this setting (anyway when the GPO is applied, it will be set again).

Hope it helps,

Michael




0
 
LVL 28

Assisted Solution

by:Michael Pfister
Michael Pfister earned 60 total points
ID: 18882526
2l8 :-)
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:donaljcox
ID: 18882555
ok but I dont want to go around each machine to do this. I do this centrally and which mmc to I run ?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 65 total points
ID: 18882582
The point of Group Policy is that you configure the setting once in a GPO, then link that GPO to the OU containing your workstations.

Use the Group Policy Management Console (GPMC) from a DC or your administrative workstation to create and link the GPO; simply right-click on the OU containing your workstations and select "Create and link a new GPO here."

If you do not have the GPMC installed, it is a free download available here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887

To configure a password policy, right-click on your Default Domain Policy and click "Edit."  (You can configure the screensaver settings in that GPO as well, but then they will apply to every single workstation and server in your whole environment which may not be what you want.)
0
 

Author Comment

by:donaljcox
ID: 18882905
I have tired ot link a policy to the OU for the screen saver lockdown but this does not work I have even rebooted machine. I can see that policy is linked to OU. Is there sth I need to do so that the policy is applied ?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 65 total points
ID: 18882959
Are the user accounts contained in the OU that you've linked the GPO to as well?

You can use the Resultant Set of Policy wizard in the GPMC to get a report of which GPOs are being applied to a particular user/computer combination, and if there are any GPOs that are not being applied for any reason. The following tutorial will walk you through RSoP if you're unfamiliar with it: http://www.windowsecurity.com/articles/Generating-Resultant-Set-Policy-Queries.html
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now