Window group policy

What can happen on a Window domain if you do not define your Audit policy.

Can that make your Windows domain weak?
mutec1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cuziyqCommented:
No.  The audit policy is disabled by default.  You'd only want to enable it either to track something that you know is wrong, or to run it all the time with a very specific criteria set.  Enabling this policy haphazardly will fill your event logs with useless information.
0
Brian PiercePhotographerCommented:
By default some auditing is done by default on a Windows 2003 server, but not much. Auditing mearly records what is going on. If you implement auditiong then as cuiyq says you need to plan what you want to log and set up the policy accordingly - there is a good intro at http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Not having an audit policy will not weaken your system as such - its just if someone does something there will be know way of determining who did it and when.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mutec1Author Commented:
That  was a good article do you have one that explain the password parameters and lockout?
0
Brian PiercePhotographerCommented:
I'm not sure what you mean exactly? Perpahps this ?

Password Policies
To modify the Password Policy on the domain, Click START->Programs->Administrative Tools->Domain Security Policy
Expand Account Policies->Password Policy
The settings are:-

Enforce Password History: (Default 24) - Stops you using the same password each time by remembering previous passwords you have used.

Maximum Password Age: (Default 42) - Forces users to make up a new password at the specified interval - 0 = never expires (unless the account is marked "Password does not expire")

Minimum Password Age: (Default 0) - Passwords must be at least this age before they can be changed (stops user changing passwords too often)

Minimum Password Length (Default 8) - Passwords must have at least this number of characters

Password Must Meet Complexity Requirements: (Default Enabled) : in enabled Passwords must contain:-
At least one letter A-Z
At least one letter a-z
At least one number 0 - 9
At least one character that is neither a letter or a number

Store Passwords Using Reversible Encryption: (Default Disabled): May occasionally be required for interoperability with some non-Microsoft Systems.

Account Policies

Lockout Duration
The amount of time the password remains locked out (0 = forever - must be unlocked by admin)

Lockout Threshold
The number of attempts allowed

Reset counter after
Attempt count is reset to 0 after this period

Example if
Lockout Duration = 30
Lockout Threshold = 3
Reset counter after = 15


Then you can try up to three times in any 15 minute period, get it wrong 3 times in the 15 min period and you get locked out for 30mins. Nothing to stop you trying twice, waiting 15min and trying another twice&
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.