[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows Server 2003 Domain Password Policy Override

Posted on 2007-12-02
10
Medium Priority
?
4,464 Views
Last Modified: 2011-08-18
I have a client with a Windows 2003 Server AD domain with a fairly basic password policy.  The client has been instructed to enforce a series of password rules on a single workstation that will soon contain sensitive data.  I tried to configure the local password policy on the workstation but, as I suspected, the policy was locked and overridden by the domain wide policy.  Is there any way to enforce a separate set of rules on a single workstation without removing it from the domain?
0
Comment
Question by:s_betts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 4

Accepted Solution

by:
edwardq earned 1000 total points
ID: 20393495
If it contains senstive data its best not to be on the domain if thats whats they are worried about. But then you will have to create user names and passwords for each person that needs access.   If you log on with a domain password they will use the AD rights.

If its on the domain, make sure no one that is allow to see the data is the local admin group.  Use user security permissions on the folder that has the data.   You can also create a domain group and give them logon locally rights and remove everyone from the rights.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393669
in short no....domain policies over ride workstations no matter what
0
 

Expert Comment

by:tigs81
ID: 20393705
create a separate OU for this PC and assign appropriate policy setting to it, and add the single pc into the OU.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393725
you cannot have multiple password policies in the domain, assignment at the root is the only way. The only thing assigning a password policy on an OU does is effect the local machine accounts. it doesnt not effect the domain user
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393780
Try this, create an OU and move this particular computer object inside this OU,
create a security group and add this particular computer as member of this security group
from the properties of GPO password policy, add this security group, and select DENY read and DENY apply policy object.

Reboot this computer and see if you can configure its local machine password policy?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393803
AD Basics 101 for password policies shall we

1. There can be one Domain Password Policy per domain. This is going to change with 2008 server but until then, there is one domain wide password

2.. a password policy will apply no matter what, including those security filtering settings as far as i am aware - may be wrong but am fairly certain it applies to everyone no matter what. Even with security filtering, you dont need to create a new OU as this is done on a group basis and OU location doesnt play any part in it

3. If you apply a password policy to an OU it will effect only the machines within that OU and ONLY on the local accounts, everything else is overridden by the domain password
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393832
Don't forget to enable "block inheritance " policy in OU that you just created.

One of us maybe correct here but there is nothing wrong testing it though.

Remember: Password policy applies to Computer level.
0
 

Author Comment

by:s_betts
ID: 20396235
Thanks to all for the replies.  I'll discuss these possible solutions with the client next week and follow up here.
0
 

Author Closing Comment

by:s_betts
ID: 31412253
Thanks for the suggestion.
0
 

Author Comment

by:s_betts
ID: 20536484
Thanks to all who posted suggestions.  The client liked the accepted solution best so we didn't take the time to test any of the others.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question