Some questions about password policies and GPOs in SBS 2003 R2 Group Policy objects

Posted on 2007-10-03
Last Modified: 2012-06-27
I am experimenting with GPOs in SBS 2003 R2 and had a couple questions / want to make sure I am not missing something.

the password wizard goes just so far?  you have to manually change the GPO to change the number of passwords it remembers, right? (along with min time of password life, etc.)

There's a bunch of GPOs out of the box!?  you have the default domain policy abd domain password policy.  they seem to conflict with each other on how many passwords are maintained (even though the password policy wizard is unchecked to remember ANY!)

Which takes precidence / why they conflict right out of the box?

when you run the password policy wizard and say 3 days ... does it cue up a batch job to make the change or is there a way in the registry to say 'start this after date X?
Question by:babaganoosh
    LVL 70

    Assisted Solution

    You can only apply password and account policies at the domain level (the default domain policy)
    Any settings applied anywhere else are ignored.

    Author Comment

    otehr gpo's besides the default domain policy can have password policieis in them, right?  they are ignored because they are lower in the GPO list?  Or higher numbered ones take precidence?

    LVL 74

    Accepted Solution

    Almost ALL default SBS GPOs are applied at the domain level, including the Small Business Server Domain Password Policy which is configured using the "Configure Password Policy" wizard.

    In stand-alone Windows Server environments, you'd configure the password policy in the defualt domain policy, but not on SBS.  Instead, it's done with the separate GPO, which sits BELOW the default domain policy.  Since the Password GPO is more restrictive, it'll apply even though it is under the domain GPO.

    If you don't select "immediately" for when to apply the policy, there are no changes made to the GPO.  Instead, a Scheduled Task is created to run and change the GPO according to when you directed it to.


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
    Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now