Solved

Policy filter questions

Posted on 2011-02-21
19
417 Views
Last Modified: 2013-11-05
How do you find the name of the default password domain policy for a given domain, and more importantly how do you find every user who is subject to the default domain policy, and every user who is exempt/filtered from it? If in ADUC can you provide some basic steps as I am still getting used to the tool.

Also, how do policy filters/exemptions work. Say for example you want a user to be subject to the default domain password policy around account lockout and password complexity, but you don’t want their password to expire, how do you ensure the user still is subject to the default domain policy, but essentially filters/overrides the password expiry setting when the default domain policy is applied to their account? Can you explain the mechanics?
0
Comment
Question by:pma111
  • 7
  • 5
  • 4
  • +1
19 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 100 total points
ID: 34941536
On a 2003 domain you can only have ONE password policy - defined at the domain level - it cannot be overridden
0
 
LVL 3

Author Comment

by:pma111
ID: 34941562
I am not sure that is true though as our donain policy is a set number of characters, lockout after 10 failed attempts etc... However we have admin accounts with passwords less than 10 characters whose accounts don't expire
0
 
LVL 3

Author Comment

by:pma111
ID: 34941565
Passwords don't expire even...
0
 
LVL 3

Author Comment

by:pma111
ID: 34941625
SO are you saying there is absolutely no way 100% that no user in the domain can have a password that doesnt expire if you set the default domain policy to have passwords that expire after 90 days?
0
 
LVL 41

Assisted Solution

by:Amit
Amit earned 100 total points
ID: 34941653
KCTS is right, in 2003 you cannot have more than one password policy, but this has been resolved in 2008, now called Fine Grained Password policy. Where you can create and apply it according to your requirement.

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

0
 
LVL 3

Author Comment

by:pma111
ID: 34941672
This doesnt make sense then.

If in ADUC I create a new query, In "define query" it has a check box "Non expiring passwords". If I check that and run it, it returns around 200 users. If the domain policy says passwords will expire after 90p days, please explain why ADUC reports there are many accounts that do indeed have passwords that dont expire.

And also what about service, backup accounts whereby you wouldnt want an expiring password?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 34941682
The only way you caqn have a non-expiring password that is contrary to the domain policy is if the 'password does not expire' option is selected on the individual user accounts.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 34941686
Opps - that should have been:-

The only way you can have a non-expiring password that is contrary to the domain policy is if the 'password does not expire' option is selected on the individual user accounts.
0
 
LVL 41

Expert Comment

by:Amit
ID: 34941710
Again you have to do it manually for all user as KCTS mentioned.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941713
What about password length and account lockout, are there similar settings for these parameters whereby you can contrary to the domain policy around password length and account lockout - or is the only contrary option the password expiry parameter?
0
 
LVL 41

Expert Comment

by:Amit
ID: 34941724
0
 
LVL 3

Author Comment

by:pma111
ID: 34941749
I prefer to speak to human beings then read tons of MS links
0
 
LVL 70

Expert Comment

by:KCTS
ID: 34941768
One policy across the domain for password lenght and lockout policy - u;ess you are using Server 2008 or a third party add-on
0
 
LVL 70

Expert Comment

by:KCTS
ID: 34941774
One policy across the domain for password length, compexity and lockout - unless you use 2008 server or a third party add-on
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 34941799
The link above that you didn't want to read explained the concept very well but in short the policy is the starting point. As it is not read-only amendments can be made by authorised users at the policy level itself or more granularly at the user level to make incidental changes such as change password at next logon, password never expires etc. However some cannot be controlled in any way other than at the domain level such as password length in 2003.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941811
I did read it and yes thanks for all the pointers I just sometiems prefer comments as opposed to links...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34941851
hehehe - you're not alone there by any means
0
 
LVL 41

Expert Comment

by:Amit
ID: 34942371
EE Copyright policy restrict us. That's why we submit the link.
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now