Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Password Policy on SBS 2003 R2: Advanced Management

Posted on 2010-08-18
5
Medium Priority
?
640 Views
Last Modified: 2012-05-10
I'm running a small business server 2003.

From the Server Management, I go to Advanced Management -> Group Policy Management -> Domains -> domain.local -> Small Business Server Domain Password Policy.

The current policy sets the Maximum Password Age to 14 days, and the minimum length is 8 characters.

I want 45 days and 15 characters as the minimum. So I right click on the policy, and go to edit. It brings up the Group Policy Object Editor.

I go to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -. Password Policy.

I edit Maximum password age to 45 days, and put 14 characters as minimum length (It will not let me select 15).

Now, here is the thing: Above the "Small Business Server Domain Password Policy" I have a "Default Domain Policy" that is set to 42 days for max age and 7 characters for minimum length.

There is a conflict here... why is it that when I open these to edit, GPO Editor is opened?

How do I trace these conflicting policies down and get the result that I want?!

0
Comment
Question by:mnbookman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 23

Assisted Solution

by:ormerodrutter
ormerodrutter earned 400 total points
ID: 33466416
Anything you manually entered surecede the default policy.

For example, if you don't enter anything the Default policy will kick in. But if you have a customer policy it will override the existing Default policy.
0
 

Author Comment

by:mnbookman
ID: 33466623
I took over for someone else and... a year later I'm still trying to figure things out. :)

How do I trace policies to see which ones are in effect?
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1600 total points
ID: 33470478
First, the easy question: the GPO Editor gets opened when you edit a GPO because...that's the tool that is used to edit GPOs.  :)

Now the rest.  You can see which policy takes precedence in the Group Policy Management Console.  In this case, both policies should be applied at the domain level (since that's the only place you can specify a password policy in 2003), so click on the domain name in the left pane of the console.  Then click on the Group Policy Inheritance tab in the right pane.  Policies higher in the list take precedence over those lower in the list.  (There are exceptions to this rule, such as when a policy is given the Enforced/No Override setting, but that's not likely true in your case.)
0
 

Author Comment

by:mnbookman
ID: 33479997
Thanks DrDave242, with your help, I may have this licked... Is there any way to check account statistics for individual users - for example, how many days are left before their password change?

I was completely misunderstanding how policies are laid out. Under Domains ->domain.local, I thought each policy was a SUMMARY, and wasn't understanding that when I right clicked on one and selected 'Edit' that I was only editing THAT policy. I thought each edit was taking me to the same place.

Now I understand there is a hierarchy.
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 1600 total points
ID: 33480198
The Account Lockout and Management Tools should give you the information you need:

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

This article gives some information on using the tools:

http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question