• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

Local policy vs domain policy

I'm running IIS on a win2k3 server in our domain. The IIS server is acting as an FTP server. I created a local user on that server to be used for FTP. When I setup the  user account, I checked the box that said password never expires. Now 90 days later the account was disabled because the password expired. My question is how do I keep my domain password policy from overwriting local users on that server? I thought that if the user was created on that server then the user would have the local policy applied.
0
tdx2000
Asked:
tdx2000
  • 5
  • 3
  • 3
  • +1
1 Solution
 
MichaelSystems EngineerCommented:
When you checked the box for "password never expires', was it in Active Directory?
0
 
tdx2000Author Commented:
No. the user was created local to the IIS server.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Domain policy takes effect over local policy.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
MichaelSystems EngineerCommented:
If this is on a Domain Controller, you may have to go into AD and make sure the "Password never expires" is applied to the domain account. From what it looks like, you can only do local users on a server that is not DC. To test this, go into the AD and reset the password and try logging in with that user/password
0
 
tdx2000Author Commented:
Our IIS server is not a DC. The user was created on that server as they would not need access to anything else on the network. There has to be a way to setup the user on the local server and not have the password expire.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Deny them access to the password policy.
0
 
MichaelSystems EngineerCommented:
0
 
tdx2000Author Commented:
Is it possible to configure the IIS server so that users created locally on that server (Not In AD) do not get the default domain policy applied to them? If this is possible how?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Yes. Take your password settings out of the default domain policy and create a new policy to link it at the domain level.

Deny the computer and user read/apply group policy permission to this GPO.
0
 
pwindellCommented:
I thought it was already true.  I have never thought that Domain Level Password Policy effects local accounts   Besides that,..even with Domain Accounts,...if you check the box that says the Password does Not Expire,...then the password does not expire,...that is how you exempt certain accounts from expiring (Service Accounts, Administrator Account, other "special" accounts, etc.).  Logistics dictate that not all accounts can be allowed to expire and the Administrator must maintain manual control over the passwords of such accounts,...yet Domain Password Policy is Global,...hence checking that checkbox overrides and exempts the account from the policy.
0
 
pwindellCommented:
Password Policy must remain in the Default Domain Policy.
It does not work properly if placed in a different GPO.

Password Policy is the only item in Group Policy that follows that behavior, in fact it is the only set of items that should ever be changed in the Default Domain Policy.  The Default Domain Policy should never be touched beyond handling the Password Policy.  The Default Domain Controller Policy should just never be touched at all,...link "new" GPOs to the Domain Controllers OU to alter settings instead.    

All others settings will work in other distinct admin-created/defined GPOs, but Password Polices are unique and only work in the Default Domain Policy.

0
 
tdx2000Author Commented:
0
 
pwindellCommented:
Ok, so it does effect the Local Accounts. Thanks for sharing the link, I was unaware of that.  But it looks like the checkbox does over-ride the GPO as I stated.

Policy set in the Default Domain Policy effect both Local and Domain Accounts,...but policy set in another sub-OU only effect Local Accounts

Looks like some were contradicting others in that thread.  Seems MS need to do some clarification on this subject.
0
 
tdx2000Author Commented:
I found the answer to the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now