Solved

Windows Server 2003 Domain Password Policy Override

Posted on 2007-12-02
10
4,448 Views
Last Modified: 2011-08-18
I have a client with a Windows 2003 Server AD domain with a fairly basic password policy.  The client has been instructed to enforce a series of password rules on a single workstation that will soon contain sensitive data.  I tried to configure the local password policy on the workstation but, as I suspected, the policy was locked and overridden by the domain wide policy.  Is there any way to enforce a separate set of rules on a single workstation without removing it from the domain?
0
Comment
Question by:s_betts
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 4

Accepted Solution

by:
edwardq earned 250 total points
ID: 20393495
If it contains senstive data its best not to be on the domain if thats whats they are worried about. But then you will have to create user names and passwords for each person that needs access.   If you log on with a domain password they will use the AD rights.

If its on the domain, make sure no one that is allow to see the data is the local admin group.  Use user security permissions on the folder that has the data.   You can also create a domain group and give them logon locally rights and remove everyone from the rights.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393669
in short no....domain policies over ride workstations no matter what
0
 

Expert Comment

by:tigs81
ID: 20393705
create a separate OU for this PC and assign appropriate policy setting to it, and add the single pc into the OU.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393725
you cannot have multiple password policies in the domain, assignment at the root is the only way. The only thing assigning a password policy on an OU does is effect the local machine accounts. it doesnt not effect the domain user
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393780
Try this, create an OU and move this particular computer object inside this OU,
create a security group and add this particular computer as member of this security group
from the properties of GPO password policy, add this security group, and select DENY read and DENY apply policy object.

Reboot this computer and see if you can configure its local machine password policy?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20393803
AD Basics 101 for password policies shall we

1. There can be one Domain Password Policy per domain. This is going to change with 2008 server but until then, there is one domain wide password

2.. a password policy will apply no matter what, including those security filtering settings as far as i am aware - may be wrong but am fairly certain it applies to everyone no matter what. Even with security filtering, you dont need to create a new OU as this is done on a group basis and OU location doesnt play any part in it

3. If you apply a password policy to an OU it will effect only the machines within that OU and ONLY on the local accounts, everything else is overridden by the domain password
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20393832
Don't forget to enable "block inheritance " policy in OU that you just created.

One of us maybe correct here but there is nothing wrong testing it though.

Remember: Password policy applies to Computer level.
0
 

Author Comment

by:s_betts
ID: 20396235
Thanks to all for the replies.  I'll discuss these possible solutions with the client next week and follow up here.
0
 

Author Closing Comment

by:s_betts
ID: 31412253
Thanks for the suggestion.
0
 

Author Comment

by:s_betts
ID: 20536484
Thanks to all who posted suggestions.  The client liked the accepted solution best so we didn't take the time to test any of the others.
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now