• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

Window group policy

What can happen on a Window domain if you do not define your Audit policy.

Can that make your Windows domain weak?
  • 2
2 Solutions
No.  The audit policy is disabled by default.  You'd only want to enable it either to track something that you know is wrong, or to run it all the time with a very specific criteria set.  Enabling this policy haphazardly will fill your event logs with useless information.
By default some auditing is done by default on a Windows 2003 server, but not much. Auditing mearly records what is going on. If you implement auditiong then as cuiyq says you need to plan what you want to log and set up the policy accordingly - there is a good intro at http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Not having an audit policy will not weaken your system as such - its just if someone does something there will be know way of determining who did it and when.
mutec1Author Commented:
That  was a good article do you have one that explain the password parameters and lockout?
I'm not sure what you mean exactly? Perpahps this ?

Password Policies
To modify the Password Policy on the domain, Click START->Programs->Administrative Tools->Domain Security Policy
Expand Account Policies->Password Policy
The settings are:-

Enforce Password History: (Default 24) - Stops you using the same password each time by remembering previous passwords you have used.

Maximum Password Age: (Default 42) - Forces users to make up a new password at the specified interval - 0 = never expires (unless the account is marked "Password does not expire")

Minimum Password Age: (Default 0) - Passwords must be at least this age before they can be changed (stops user changing passwords too often)

Minimum Password Length (Default 8) - Passwords must have at least this number of characters

Password Must Meet Complexity Requirements: (Default Enabled) : in enabled Passwords must contain:-
At least one letter A-Z
At least one letter a-z
At least one number 0 - 9
At least one character that is neither a letter or a number

Store Passwords Using Reversible Encryption: (Default Disabled): May occasionally be required for interoperability with some non-Microsoft Systems.

Account Policies

Lockout Duration
The amount of time the password remains locked out (0 = forever - must be unlocked by admin)

Lockout Threshold
The number of attempts allowed

Reset counter after
Attempt count is reset to 0 after this period

Example if
Lockout Duration = 30
Lockout Threshold = 3
Reset counter after = 15

Then you can try up to three times in any 15 minute period, get it wrong 3 times in the 15 min period and you get locked out for 30mins. Nothing to stop you trying twice, waiting 15min and trying another twice&
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now