ramziabk
asked on
Password Policy
I created a Password policy that forces the users to change their passwords every 30 days. The Password should be at least 8 characters, contains both numbers and letters and the same password can't be repeated for at least 3 month.
I need to exclude one user from this policy. i.e. the user need not to change his password and he can use the same password and he can use only letters or numbers.
How to do that. I have Windows 2003 server with Active Directoty.
I need to exclude one user from this policy. i.e. the user need not to change his password and he can use the same password and he can use only letters or numbers.
How to do that. I have Windows 2003 server with Active Directoty.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can't technically do what you want until you upgrade your AD to Windows 2008, which includes a feature called Fine-Grained Password Policies. The best you can do is to not require the password to be changed.
There is no option for how long until a password can be reused. The password reuse policy refers to how many times the password must be changed before a password may be reused. Valid values are from 0-24.
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
AD DS: Fine-Grained Password PoliciesUpdated: July 14, 2010
Applies To: Windows Server 2008
The Windows Server® 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain. As a result, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains. Both options are costly for different reasons.
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.
yada yada yada
There is no option for how long until a password can be reused. The password reuse policy refers to how many times the password must be changed before a password may be reused. Valid values are from 0-24.
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
AD DS: Fine-Grained Password PoliciesUpdated: July 14, 2010
Applies To: Windows Server 2008
The Windows Server® 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Microsoft® Windows® 2000 and Windows Server® 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain. These policies were specified in the Default Domain Policy for the domain. As a result, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains. Both options are costly for different reasons.
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.
yada yada yada
You can't do this with Server 2003 - only one password policy per domain
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
JAN MA CCNA