Exclude Client from Password Policy

I administer a small Server 2003 domain with 12 clients.

Until recently the password policy was none existent and as a result of probable security breaches I implemented a more complicated password policy i.e 7 characters any three of Aa1£ etc.

This has presented a problem with one client which is a remote touch-screen with no keyboard and mouse. Presently I am able to logon remotely and complete the Ctrl-Alt-Del logon process to screen, an automatic process starts to allow visitors to logon via the touchscreen.

Is there any way to either complete the boot automatically or exclude it from the password policy - previously it had no password at all and simply started to the visitor logon.

Hope someone can help as this is becoming a nuisance.

GHB
Gordon710Asked:
Who is Participating?
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, so you may use this Administrative Template in a GPO and use GPO Filtering to filter out only one PC to which it should be applied or use MS Autologon for Windows v3.01. Software can be downloaded from
http://technet.microsoft.com/en-us/sysinternals/bb963905

and put it only on that machine. Configuration is intuitive and simple.

That's ADM file (remove .txt from its extension)
 autologon.adm.txt

Krzysztof
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Hi, password policy is very important in a domain environment and should be configured for each user for security reason. I've never checked if it' possible to disable password policy for particular user. I belive it' possible but painfull. Mostly password policy is set up in Default Domain Policy and do filtering on that is not recommended. After than you need to play witk local policy settings :/ However, I would suggest for that using autologon over GPO with ADM template for XP or with GPP for Win 7 or 3rd party tool (autologon) to accomplish that. If you're interested doing it that way, let me know and I will tell you how to do that step-by-step. I have even ready ADM for XP but now I have no Internet access and you would have to wait some time.

Regards,
Krzysztof
0
 
Rant32Commented:
Is the issue that you have to Ctrl-Alt-Del on the touch-screen? Is it only that visitor account logging on to the touch-screen device?

Having to C-A-D is not a part of the password policy, but a computer policy found here:
Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL

You could place the computer account of the touch-screen device into its own OU, and link a new policy to it that doesn't require Ctrl-Alt-Del at logon.

Setting the visitor account to a known value and enabling "Password never expires" for the account will also override your password change policy.

In Windows 2003, you can't make exceptions to the password policy based on the user or computer account.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Rant32Commented:
Oh, I'm assuming that the visitor account is not the possible breach here, and that it's a very limited account.
0
 
Gordon710Author Commented:
Thanks for the replies.

C-A-D can be removed but the issue is then logon details. It has to be a user rather than Visitor.

Is it possible to create a script that inputs the user name and password and then completes the logon?

Prior to the changes we made on the password policy there wasn't any password on this client. So there was no C-A-D and no user input required.

GHB
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, so are you interested with Autologon for that computer?

Krzysztof
0
 
Gordon710Author Commented:
It's worth a go.
0
 
Gordon710Author Commented:
Hi

Thanks for your help but I managed to sort this myself with a registry edit on that PC. Full instructions can be found here.

http://support.microsoft.com/kb/315231

Possibly the same fix as suggested by Krzysztof so I'll give you the points.

GHB
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.