?
Solved

Local policy vs domain policy

Posted on 2011-05-10
14
Medium Priority
?
497 Views
Last Modified: 2012-05-11
I'm running IIS on a win2k3 server in our domain. The IIS server is acting as an FTP server. I created a local user on that server to be used for FTP. When I setup the  user account, I checked the box that said password never expires. Now 90 days later the account was disabled because the password expired. My question is how do I keep my domain password policy from overwriting local users on that server? I thought that if the user was created on that server then the user would have the local policy applied.
0
Comment
Question by:tdx2000
  • 5
  • 3
  • 3
  • +1
14 Comments
 
LVL 3

Expert Comment

by:Michael
ID: 35729911
When you checked the box for "password never expires', was it in Active Directory?
0
 

Author Comment

by:tdx2000
ID: 35729936
No. the user was created local to the IIS server.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35729982
Domain policy takes effect over local policy.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:Michael
ID: 35729989
If this is on a Domain Controller, you may have to go into AD and make sure the "Password never expires" is applied to the domain account. From what it looks like, you can only do local users on a server that is not DC. To test this, go into the AD and reset the password and try logging in with that user/password
0
 

Author Comment

by:tdx2000
ID: 35730021
Our IIS server is not a DC. The user was created on that server as they would not need access to anything else on the network. There has to be a way to setup the user on the local server and not have the password expire.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35730035
Deny them access to the password policy.
0
 
LVL 3

Expert Comment

by:Michael
ID: 35730066
0
 

Author Comment

by:tdx2000
ID: 35730327
Is it possible to configure the IIS server so that users created locally on that server (Not In AD) do not get the default domain policy applied to them? If this is possible how?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35730343
Yes. Take your password settings out of the default domain policy and create a new policy to link it at the domain level.

Deny the computer and user read/apply group policy permission to this GPO.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35730387
I thought it was already true.  I have never thought that Domain Level Password Policy effects local accounts   Besides that,..even with Domain Accounts,...if you check the box that says the Password does Not Expire,...then the password does not expire,...that is how you exempt certain accounts from expiring (Service Accounts, Administrator Account, other "special" accounts, etc.).  Logistics dictate that not all accounts can be allowed to expire and the Administrator must maintain manual control over the passwords of such accounts,...yet Domain Password Policy is Global,...hence checking that checkbox overrides and exempts the account from the policy.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35730482
Password Policy must remain in the Default Domain Policy.
It does not work properly if placed in a different GPO.

Password Policy is the only item in Group Policy that follows that behavior, in fact it is the only set of items that should ever be changed in the Default Domain Policy.  The Default Domain Policy should never be touched beyond handling the Password Policy.  The Default Domain Controller Policy should just never be touched at all,...link "new" GPOs to the Domain Controllers OU to alter settings instead.    

All others settings will work in other distinct admin-created/defined GPOs, but Password Polices are unique and only work in the Default Domain Policy.

0
 

Accepted Solution

by:
tdx2000 earned 0 total points
ID: 35731014
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35731237
Ok, so it does effect the Local Accounts. Thanks for sharing the link, I was unaware of that.  But it looks like the checkbox does over-ride the GPO as I stated.

Policy set in the Default Domain Policy effect both Local and Domain Accounts,...but policy set in another sub-OU only effect Local Accounts

Looks like some were contradicting others in that thread.  Seems MS need to do some clarification on this subject.
0
 

Author Closing Comment

by:tdx2000
ID: 35763153
I found the answer to the issue.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question