• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 439
  • Last Modified:

Policy filter questions

How do you find the name of the default password domain policy for a given domain, and more importantly how do you find every user who is subject to the default domain policy, and every user who is exempt/filtered from it? If in ADUC can you provide some basic steps as I am still getting used to the tool.

Also, how do policy filters/exemptions work. Say for example you want a user to be subject to the default domain password policy around account lockout and password complexity, but you don’t want their password to expire, how do you ensure the user still is subject to the default domain policy, but essentially filters/overrides the password expiry setting when the default domain policy is applied to their account? Can you explain the mechanics?
0
pma111
Asked:
pma111
  • 7
  • 5
  • 4
  • +1
3 Solutions
 
KCTSCommented:
On a 2003 domain you can only have ONE password policy - defined at the domain level - it cannot be overridden
0
 
pma111Author Commented:
I am not sure that is true though as our donain policy is a set number of characters, lockout after 10 failed attempts etc... However we have admin accounts with passwords less than 10 characters whose accounts don't expire
0
 
pma111Author Commented:
Passwords don't expire even...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
pma111Author Commented:
SO are you saying there is absolutely no way 100% that no user in the domain can have a password that doesnt expire if you set the default domain policy to have passwords that expire after 90 days?
0
 
AmitIT ArchitectCommented:
KCTS is right, in 2003 you cannot have more than one password policy, but this has been resolved in 2008, now called Fine Grained Password policy. Where you can create and apply it according to your requirement.

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

0
 
pma111Author Commented:
This doesnt make sense then.

If in ADUC I create a new query, In "define query" it has a check box "Non expiring passwords". If I check that and run it, it returns around 200 users. If the domain policy says passwords will expire after 90p days, please explain why ADUC reports there are many accounts that do indeed have passwords that dont expire.

And also what about service, backup accounts whereby you wouldnt want an expiring password?
0
 
KCTSCommented:
The only way you caqn have a non-expiring password that is contrary to the domain policy is if the 'password does not expire' option is selected on the individual user accounts.
0
 
KCTSCommented:
Opps - that should have been:-

The only way you can have a non-expiring password that is contrary to the domain policy is if the 'password does not expire' option is selected on the individual user accounts.
0
 
AmitIT ArchitectCommented:
Again you have to do it manually for all user as KCTS mentioned.
0
 
pma111Author Commented:
What about password length and account lockout, are there similar settings for these parameters whereby you can contrary to the domain policy around password length and account lockout - or is the only contrary option the password expiry parameter?
0
 
AmitIT ArchitectCommented:
0
 
pma111Author Commented:
I prefer to speak to human beings then read tons of MS links
0
 
KCTSCommented:
One policy across the domain for password lenght and lockout policy - u;ess you are using Server 2008 or a third party add-on
0
 
KCTSCommented:
One policy across the domain for password length, compexity and lockout - unless you use 2008 server or a third party add-on
0
 
Keith AlabasterEnterprise ArchitectCommented:
The link above that you didn't want to read explained the concept very well but in short the policy is the starting point. As it is not read-only amendments can be made by authorised users at the policy level itself or more granularly at the user level to make incidental changes such as change password at next logon, password never expires etc. However some cannot be controlled in any way other than at the domain level such as password length in 2003.
0
 
pma111Author Commented:
I did read it and yes thanks for all the pointers I just sometiems prefer comments as opposed to links...
0
 
Keith AlabasterEnterprise ArchitectCommented:
hehehe - you're not alone there by any means
0
 
AmitIT ArchitectCommented:
EE Copyright policy restrict us. That's why we submit the link.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now