Solved

Windows Server 2003 Domain Password Policy Override

Posted on 2007-12-02
10
4,461 Views
Last Modified: 2011-08-18
I have a client with a Windows 2003 Server AD domain with a fairly basic password policy.  The client has been instructed to enforce a series of password rules on a single workstation that will soon contain sensitive data.  I tried to configure the local password policy on the workstation but, as I suspected, the policy was locked and overridden by the domain wide policy.  Is there any way to enforce a separate set of rules on a single workstation without removing it from the domain?
0
Comment
Question by:s_betts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 4

Accepted Solution

by:
edwardq earned 250 total points
ID: 20393495
If it contains senstive data its best not to be on the domain if thats whats they are worried about. But then you will have to create user names and passwords for each person that needs access.   If you log on with a domain password they will use the AD rights.

If its on the domain, make sure no one that is allow to see the data is the local admin group.  Use user security permissions on the folder that has the data.   You can also create a domain group and give them logon locally rights and remove everyone from the rights.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393669
in short no....domain policies over ride workstations no matter what
0
 

Expert Comment

by:tigs81
ID: 20393705
create a separate OU for this PC and assign appropriate policy setting to it, and add the single pc into the OU.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393725
you cannot have multiple password policies in the domain, assignment at the root is the only way. The only thing assigning a password policy on an OU does is effect the local machine accounts. it doesnt not effect the domain user
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393780
Try this, create an OU and move this particular computer object inside this OU,
create a security group and add this particular computer as member of this security group
from the properties of GPO password policy, add this security group, and select DENY read and DENY apply policy object.

Reboot this computer and see if you can configure its local machine password policy?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393803
AD Basics 101 for password policies shall we

1. There can be one Domain Password Policy per domain. This is going to change with 2008 server but until then, there is one domain wide password

2.. a password policy will apply no matter what, including those security filtering settings as far as i am aware - may be wrong but am fairly certain it applies to everyone no matter what. Even with security filtering, you dont need to create a new OU as this is done on a group basis and OU location doesnt play any part in it

3. If you apply a password policy to an OU it will effect only the machines within that OU and ONLY on the local accounts, everything else is overridden by the domain password
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393832
Don't forget to enable "block inheritance " policy in OU that you just created.

One of us maybe correct here but there is nothing wrong testing it though.

Remember: Password policy applies to Computer level.
0
 

Author Comment

by:s_betts
ID: 20396235
Thanks to all for the replies.  I'll discuss these possible solutions with the client next week and follow up here.
0
 

Author Closing Comment

by:s_betts
ID: 31412253
Thanks for the suggestion.
0
 

Author Comment

by:s_betts
ID: 20536484
Thanks to all who posted suggestions.  The client liked the accepted solution best so we didn't take the time to test any of the others.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question