Password Policy - Windows 2008 DC

Dear experts,

May I have some help in doing password policy in Windows 2008 environment?

I haven't come across GPOs before so am new to this thing. From the stuff I saw on internet it doesn't look too complicated but would like to get a confirmation from experts.

So here are my questions.

1. Where do I do password policy? From my research I think need to do this in Local Group Policy Editor on the DC, then expend Local Computer Policy>Computer Configurations>Windows Settings>Security Settings>Password Policy - am I correct?

2. Why the setting "Password must meet complexity requirements" has been disabled and grey out? How to change it?

3. What do I need to do after I did the setting? Restart DC?

I understand Password Policy was a global thing in Win 2003. We would like to exempt some users from this Password Policy, is this possible?

However, we still have a Windows 2003 DC in our remote office but we have plan to uplift it to Windows 2008 DC in coming months. Do I have to bring this forward if I want to exempt some users of Password policy?

Thank you for your assistance. I know I have asked a lot of questions here please accept my apology.
LVL 23
ormerodrutterAsked:
Who is Participating?
 
KCTSConnect With a Mentor Commented:
As has been said - in Windows the Password policy is set at the domain level. You can't use a GPO to sepecify different password policies for different users - the only way you can to that is to impliment 'fine-grained password policies' see
http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx
0
 
Mike KlineConnect With a Mentor Commented:
1.    Password policy in your domain has to be set at a group policy at the domain level. You can use GPMC to configure GPOs

2.  It should not be grayed ou, are you setting a policy on the domain level.

3.  You don't need to restart the DC

Once you upgrade your domain functional level to 2008 you can use fine grained passwords.  This will allow you to except users or groups and set your own policy.  More on FGPP here  http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

Thanks

Mike
0
 
myhcCommented:
1) login to the domain controller

2) Click the Windows "Start" button on your server. Click "Control Panel" and then click "Administrative Tools." In the list of shortcuts, click "Group Policy Editor" to open the GPO configuration console.

3) Click the "Security Settings" icon on the left to expand a list of options. In these options, click the plus sign next to "Account Policies." In this list of options, click "Password Policy." A list of domain password policies is listed in the centre details section.

4) Double-click the policy you want to edit. For instance, if you want to require users to enter a password with a minimum length, double-click "Minimum password length." A dialogue box opens where you change the settings.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
Krzysztof PytkoActive Directory EngineerCommented:
Just only to extend what others already said, you may also check 2 articles on my blog for password policy. One is completely new and it is about Fine-Grained Password policies in Windows Server 2012 but it gives also an overview about that.

Please check these articles
http://kpytko.wordpress.com/2012/05/16/domain-password-policy/
http://kpytko.wordpress.com/2012/09/10/fine-grained-password-policy/

Regards,
Krzysztof
0
 
Sarang TinguriaSr EngineerCommented:
1. Where do I do password policy? From my research I think need to do this in Local Group Policy Editor on the DC, then expend Local Computer Policy>Computer Configurations>Windows Settings>Security Settings>Password Policy - am I correct?
--> Path is correct the Policy name should be Default Domain Policy not Local Computer Policy
2. Why the setting "Password must meet complexity requirements" has been disabled and grey out? How to change it? :- It might be due to you are looking in Local Computer Policy3. What do I need to do after I did the setting? Restart DC? :> Just run "gpupdate /force"
I understand Password Policy was a global thing in Win 2003. We would like to exempt some users from this Password Policy, is this possible? -> I your case you have 2003 DC that means you are no running on 2008 Domain functional level so its not possible from Windows Prospect you will have to use 3rd party tool
0
 
ormerodrutterAuthor Commented:
OK. Just trying to be a bit cheeky to ask, if I have setup a password policy to make user to change their passwords every x months, can I exclude some users by ticking the "Password Never Expire" box under User Properties?

Had a look about Fine Grained Password Policy. A bit complicated but may give it a go. But it looks like you are using Fine Grained policy to define different policies to different groups/users, but what I want to achieve is to exclude a group of user from the default domain policy (containing password policy). So if I defined the password policy at domain level, will that supersede any relevent password policies at user level?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, this will overwrite requirement for password change.
In Windows Server 2003 you can only have one password policy defined at domain level, you cannot create additional GPO with password settings and apply to another OU. It won't work.

Krzysztof
0
 
ormerodrutterAuthor Commented:
Of course I will upgrade our domain function level to 2008 before thinking of fine grained policy. So if I defined the password policy at domain level with a password age and length, will that supersede any relevent password policies set at user level?

E.g. Whole company - policy 1 (password age and length)
       Directors - policy 2 (no restriction on password whatsoever)

Will policy 2 be superseded by policy 1 (becasue P1 at higher level)? If so there is no point trying fine grained by me then....,.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, as there is only one password policy valid for domain. Policy1 will always be applying for password settings and policy2 will be never used

Krzysztof
0
 
ormerodrutterAuthor Commented:
Even with 2008 DC?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, there is only one password policy per domain which you can define over GPO at domain level. The rest (2008 and above DFL) supports Fine-Grained Password policies but they are applied only to users or groups. You cannot assign FGPP at domain level or into an OU

Krzysztof
0
 
ormerodrutterAuthor Commented:
OK so I guess the way forward is to assign two seperate FGPP, one to Directors group and the other to Stuffs group (which contain everyone apart from Directors). Am I correct?
0
 
Mike KlineCommented:
Just keep the password policy for everyone else, and then create a FGPP for directors.  By the way FGPP is a pain to administer in 2008/2008 R2

...you can even put up a 2012 member server and use the new GUI

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/04/new-features-in-active-directory-domain-services-in-windows-server-2012-part-7-fine-grained-password-policy-gui.aspx

Thanks

Mike
0
All Courses

From novice to tech pro — start learning today.