Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exclude Client from Password Policy

Posted on 2011-10-14
8
Medium Priority
?
235 Views
Last Modified: 2012-05-12
I administer a small Server 2003 domain with 12 clients.

Until recently the password policy was none existent and as a result of probable security breaches I implemented a more complicated password policy i.e 7 characters any three of Aa1£ etc.

This has presented a problem with one client which is a remote touch-screen with no keyboard and mouse. Presently I am able to logon remotely and complete the Ctrl-Alt-Del logon process to screen, an automatic process starts to allow visitors to logon via the touchscreen.

Is there any way to either complete the boot automatically or exclude it from the password policy - previously it had no password at all and simply started to the visitor logon.

Hope someone can help as this is becoming a nuisance.

GHB
0
Comment
Question by:Gordon710
  • 3
  • 3
  • 2
8 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36967736
Hi, password policy is very important in a domain environment and should be configured for each user for security reason. I've never checked if it' possible to disable password policy for particular user. I belive it' possible but painfull. Mostly password policy is set up in Default Domain Policy and do filtering on that is not recommended. After than you need to play witk local policy settings :/ However, I would suggest for that using autologon over GPO with ADM template for XP or with GPP for Win 7 or 3rd party tool (autologon) to accomplish that. If you're interested doing it that way, let me know and I will tell you how to do that step-by-step. I have even ready ADM for XP but now I have no Internet access and you would have to wait some time.

Regards,
Krzysztof
0
 
LVL 12

Expert Comment

by:Rant32
ID: 36969911
Is the issue that you have to Ctrl-Alt-Del on the touch-screen? Is it only that visitor account logging on to the touch-screen device?

Having to C-A-D is not a part of the password policy, but a computer policy found here:
Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL

You could place the computer account of the touch-screen device into its own OU, and link a new policy to it that doesn't require Ctrl-Alt-Del at logon.

Setting the visitor account to a known value and enabling "Password never expires" for the account will also override your password change policy.

In Windows 2003, you can't make exceptions to the password policy based on the user or computer account.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 36969937
Oh, I'm assuming that the visitor account is not the possible breach here, and that it's a very limited account.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:Gordon710
ID: 36978387
Thanks for the replies.

C-A-D can be removed but the issue is then logon details. It has to be a user rather than Visitor.

Is it possible to create a script that inputs the user name and password and then completes the logon?

Prior to the changes we made on the password policy there wasn't any password on this client. So there was no C-A-D and no user input required.

GHB
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36990915
OK, so are you interested with Autologon for that computer?

Krzysztof
0
 

Author Comment

by:Gordon710
ID: 36992961
It's worth a go.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 36993011
OK, so you may use this Administrative Template in a GPO and use GPO Filtering to filter out only one PC to which it should be applied or use MS Autologon for Windows v3.01. Software can be downloaded from
http://technet.microsoft.com/en-us/sysinternals/bb963905

and put it only on that machine. Configuration is intuitive and simple.

That's ADM file (remove .txt from its extension)
 autologon.adm.txt

Krzysztof
0
 

Author Comment

by:Gordon710
ID: 37031906
Hi

Thanks for your help but I managed to sort this myself with a registry edit on that PC. Full instructions can be found here.

http://support.microsoft.com/kb/315231

Possibly the same fix as suggested by Krzysztof so I'll give you the points.

GHB
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question