Solved

Windows Server 2003 Domain Password Policy Override

Posted on 2007-12-02
10
4,451 Views
Last Modified: 2011-08-18
I have a client with a Windows 2003 Server AD domain with a fairly basic password policy.  The client has been instructed to enforce a series of password rules on a single workstation that will soon contain sensitive data.  I tried to configure the local password policy on the workstation but, as I suspected, the policy was locked and overridden by the domain wide policy.  Is there any way to enforce a separate set of rules on a single workstation without removing it from the domain?
0
Comment
Question by:s_betts
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 4

Accepted Solution

by:
edwardq earned 250 total points
ID: 20393495
If it contains senstive data its best not to be on the domain if thats whats they are worried about. But then you will have to create user names and passwords for each person that needs access.   If you log on with a domain password they will use the AD rights.

If its on the domain, make sure no one that is allow to see the data is the local admin group.  Use user security permissions on the folder that has the data.   You can also create a domain group and give them logon locally rights and remove everyone from the rights.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393669
in short no....domain policies over ride workstations no matter what
0
 

Expert Comment

by:tigs81
ID: 20393705
create a separate OU for this PC and assign appropriate policy setting to it, and add the single pc into the OU.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393725
you cannot have multiple password policies in the domain, assignment at the root is the only way. The only thing assigning a password policy on an OU does is effect the local machine accounts. it doesnt not effect the domain user
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393780
Try this, create an OU and move this particular computer object inside this OU,
create a security group and add this particular computer as member of this security group
from the properties of GPO password policy, add this security group, and select DENY read and DENY apply policy object.

Reboot this computer and see if you can configure its local machine password policy?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393803
AD Basics 101 for password policies shall we

1. There can be one Domain Password Policy per domain. This is going to change with 2008 server but until then, there is one domain wide password

2.. a password policy will apply no matter what, including those security filtering settings as far as i am aware - may be wrong but am fairly certain it applies to everyone no matter what. Even with security filtering, you dont need to create a new OU as this is done on a group basis and OU location doesnt play any part in it

3. If you apply a password policy to an OU it will effect only the machines within that OU and ONLY on the local accounts, everything else is overridden by the domain password
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393832
Don't forget to enable "block inheritance " policy in OU that you just created.

One of us maybe correct here but there is nothing wrong testing it though.

Remember: Password policy applies to Computer level.
0
 

Author Comment

by:s_betts
ID: 20396235
Thanks to all for the replies.  I'll discuss these possible solutions with the client next week and follow up here.
0
 

Author Closing Comment

by:s_betts
ID: 31412253
Thanks for the suggestion.
0
 

Author Comment

by:s_betts
ID: 20536484
Thanks to all who posted suggestions.  The client liked the accepted solution best so we didn't take the time to test any of the others.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 75
PHP Healthcheck 2 84
Office 365 SSO and Shared Devices 6 41
IP Address -- lookup location ? 4 67
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now