?
Solved

Windows Server 2003 Domain Password Policy Override

Posted on 2007-12-02
10
Medium Priority
?
4,465 Views
Last Modified: 2011-08-18
I have a client with a Windows 2003 Server AD domain with a fairly basic password policy.  The client has been instructed to enforce a series of password rules on a single workstation that will soon contain sensitive data.  I tried to configure the local password policy on the workstation but, as I suspected, the policy was locked and overridden by the domain wide policy.  Is there any way to enforce a separate set of rules on a single workstation without removing it from the domain?
0
Comment
Question by:s_betts
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 4

Accepted Solution

by:
edwardq earned 1000 total points
ID: 20393495
If it contains senstive data its best not to be on the domain if thats whats they are worried about. But then you will have to create user names and passwords for each person that needs access.   If you log on with a domain password they will use the AD rights.

If its on the domain, make sure no one that is allow to see the data is the local admin group.  Use user security permissions on the folder that has the data.   You can also create a domain group and give them logon locally rights and remove everyone from the rights.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393669
in short no....domain policies over ride workstations no matter what
0
 

Expert Comment

by:tigs81
ID: 20393705
create a separate OU for this PC and assign appropriate policy setting to it, and add the single pc into the OU.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393725
you cannot have multiple password policies in the domain, assignment at the root is the only way. The only thing assigning a password policy on an OU does is effect the local machine accounts. it doesnt not effect the domain user
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393780
Try this, create an OU and move this particular computer object inside this OU,
create a security group and add this particular computer as member of this security group
from the properties of GPO password policy, add this security group, and select DENY read and DENY apply policy object.

Reboot this computer and see if you can configure its local machine password policy?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393803
AD Basics 101 for password policies shall we

1. There can be one Domain Password Policy per domain. This is going to change with 2008 server but until then, there is one domain wide password

2.. a password policy will apply no matter what, including those security filtering settings as far as i am aware - may be wrong but am fairly certain it applies to everyone no matter what. Even with security filtering, you dont need to create a new OU as this is done on a group basis and OU location doesnt play any part in it

3. If you apply a password policy to an OU it will effect only the machines within that OU and ONLY on the local accounts, everything else is overridden by the domain password
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393832
Don't forget to enable "block inheritance " policy in OU that you just created.

One of us maybe correct here but there is nothing wrong testing it though.

Remember: Password policy applies to Computer level.
0
 

Author Comment

by:s_betts
ID: 20396235
Thanks to all for the replies.  I'll discuss these possible solutions with the client next week and follow up here.
0
 

Author Closing Comment

by:s_betts
ID: 31412253
Thanks for the suggestion.
0
 

Author Comment

by:s_betts
ID: 20536484
Thanks to all who posted suggestions.  The client liked the accepted solution best so we didn't take the time to test any of the others.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question