Exclude Client from Password Policy

I administer a small Server 2003 domain with 12 clients.

Until recently the password policy was none existent and as a result of probable security breaches I implemented a more complicated password policy i.e 7 characters any three of Aa1£ etc.

This has presented a problem with one client which is a remote touch-screen with no keyboard and mouse. Presently I am able to logon remotely and complete the Ctrl-Alt-Del logon process to screen, an automatic process starts to allow visitors to logon via the touchscreen.

Is there any way to either complete the boot automatically or exclude it from the password policy - previously it had no password at all and simply started to the visitor logon.

Hope someone can help as this is becoming a nuisance.

GHB
Gordon710Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
Hi, password policy is very important in a domain environment and should be configured for each user for security reason. I've never checked if it' possible to disable password policy for particular user. I belive it' possible but painfull. Mostly password policy is set up in Default Domain Policy and do filtering on that is not recommended. After than you need to play witk local policy settings :/ However, I would suggest for that using autologon over GPO with ADM template for XP or with GPP for Win 7 or 3rd party tool (autologon) to accomplish that. If you're interested doing it that way, let me know and I will tell you how to do that step-by-step. I have even ready ADM for XP but now I have no Internet access and you would have to wait some time.

Regards,
Krzysztof
Rant32Commented:
Is the issue that you have to Ctrl-Alt-Del on the touch-screen? Is it only that visitor account logging on to the touch-screen device?

Having to C-A-D is not a part of the password policy, but a computer policy found here:
Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL

You could place the computer account of the touch-screen device into its own OU, and link a new policy to it that doesn't require Ctrl-Alt-Del at logon.

Setting the visitor account to a known value and enabling "Password never expires" for the account will also override your password change policy.

In Windows 2003, you can't make exceptions to the password policy based on the user or computer account.
Rant32Commented:
Oh, I'm assuming that the visitor account is not the possible breach here, and that it's a very limited account.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Gordon710Author Commented:
Thanks for the replies.

C-A-D can be removed but the issue is then logon details. It has to be a user rather than Visitor.

Is it possible to create a script that inputs the user name and password and then completes the logon?

Prior to the changes we made on the password policy there wasn't any password on this client. So there was no C-A-D and no user input required.

GHB
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, so are you interested with Autologon for that computer?

Krzysztof
Gordon710Author Commented:
It's worth a go.
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, so you may use this Administrative Template in a GPO and use GPO Filtering to filter out only one PC to which it should be applied or use MS Autologon for Windows v3.01. Software can be downloaded from
http://technet.microsoft.com/en-us/sysinternals/bb963905

and put it only on that machine. Configuration is intuitive and simple.

That's ADM file (remove .txt from its extension)
 autologon.adm.txt

Krzysztof

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gordon710Author Commented:
Hi

Thanks for your help but I managed to sort this myself with a registry edit on that PC. Full instructions can be found here.

http://support.microsoft.com/kb/315231

Possibly the same fix as suggested by Krzysztof so I'll give you the points.

GHB
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.