Password Policy - Windows 2008 DC
Dear experts,
May I have some help in doing password policy in Windows 2008 environment?
I haven't come across GPOs before so am new to this thing. From the stuff I saw on internet it doesn't look too complicated but would like to get a confirmation from experts.
So here are my questions.
1. Where do I do password policy? From my research I think need to do this in Local Group Policy Editor on the DC, then expend Local Computer Policy>Computer Configurations>Windows Settings>Security Settings>Password Policy - am I correct?
2. Why the setting "Password must meet complexity requirements" has been disabled and grey out? How to change it?
3. What do I need to do after I did the setting? Restart DC?
I understand Password Policy was a global thing in Win 2003. We would like to exempt some users from this Password Policy, is this possible?
However, we still have a Windows 2003 DC in our remote office but we have plan to uplift it to Windows 2008 DC in coming months. Do I have to bring this forward if I want to exempt some users of Password policy?
Thank you for your assistance. I know I have asked a lot of questions here please accept my apology.
May I have some help in doing password policy in Windows 2008 environment?
I haven't come across GPOs before so am new to this thing. From the stuff I saw on internet it doesn't look too complicated but would like to get a confirmation from experts.
So here are my questions.
1. Where do I do password policy? From my research I think need to do this in Local Group Policy Editor on the DC, then expend Local Computer Policy>Computer Configurations>Windows Settings>Security Settings>Password Policy - am I correct?
2. Why the setting "Password must meet complexity requirements" has been disabled and grey out? How to change it?
3. What do I need to do after I did the setting? Restart DC?
I understand Password Policy was a global thing in Win 2003. We would like to exempt some users from this Password Policy, is this possible?
However, we still have a Windows 2003 DC in our remote office but we have plan to uplift it to Windows 2008 DC in coming months. Do I have to bring this forward if I want to exempt some users of Password policy?
Thank you for your assistance. I know I have asked a lot of questions here please accept my apology.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just only to extend what others already said, you may also check 2 articles on my blog for password policy. One is completely new and it is about Fine-Grained Password policies in Windows Server 2012 but it gives also an overview about that.
Please check these articles
http://kpytko.wordpress.com/2012/05/16/domain-password-policy/
http://kpytko.wordpress.com/2012/09/10/fine-grained-password-policy/
Regards,
Krzysztof
Please check these articles
http://kpytko.wordpress.com/2012/05/16/domain-password-policy/
http://kpytko.wordpress.com/2012/09/10/fine-grained-password-policy/
Regards,
Krzysztof
1. Where do I do password policy? From my research I think need to do this in Local Group Policy Editor on the DC, then expend Local Computer Policy>Computer Configurations>Windows Settings>Security Settings>Password Policy - am I correct?
--> Path is correct the Policy name should be Default Domain Policy not Local Computer Policy
2. Why the setting "Password must meet complexity requirements" has been disabled and grey out? How to change it? :- It might be due to you are looking in Local Computer Policy3. What do I need to do after I did the setting? Restart DC? :> Just run "gpupdate /force"
I understand Password Policy was a global thing in Win 2003. We would like to exempt some users from this Password Policy, is this possible? -> I your case you have 2003 DC that means you are no running on 2008 Domain functional level so its not possible from Windows Prospect you will have to use 3rd party tool
--> Path is correct the Policy name should be Default Domain Policy not Local Computer Policy
2. Why the setting "Password must meet complexity requirements" has been disabled and grey out? How to change it? :- It might be due to you are looking in Local Computer Policy3. What do I need to do after I did the setting? Restart DC? :> Just run "gpupdate /force"
I understand Password Policy was a global thing in Win 2003. We would like to exempt some users from this Password Policy, is this possible? -> I your case you have 2003 DC that means you are no running on 2008 Domain functional level so its not possible from Windows Prospect you will have to use 3rd party tool
ASKER
OK. Just trying to be a bit cheeky to ask, if I have setup a password policy to make user to change their passwords every x months, can I exclude some users by ticking the "Password Never Expire" box under User Properties?
Had a look about Fine Grained Password Policy. A bit complicated but may give it a go. But it looks like you are using Fine Grained policy to define different policies to different groups/users, but what I want to achieve is to exclude a group of user from the default domain policy (containing password policy). So if I defined the password policy at domain level, will that supersede any relevent password policies at user level?
Had a look about Fine Grained Password Policy. A bit complicated but may give it a go. But it looks like you are using Fine Grained policy to define different policies to different groups/users, but what I want to achieve is to exclude a group of user from the default domain policy (containing password policy). So if I defined the password policy at domain level, will that supersede any relevent password policies at user level?
Yes, this will overwrite requirement for password change.
In Windows Server 2003 you can only have one password policy defined at domain level, you cannot create additional GPO with password settings and apply to another OU. It won't work.
Krzysztof
In Windows Server 2003 you can only have one password policy defined at domain level, you cannot create additional GPO with password settings and apply to another OU. It won't work.
Krzysztof
ASKER
Of course I will upgrade our domain function level to 2008 before thinking of fine grained policy. So if I defined the password policy at domain level with a password age and length, will that supersede any relevent password policies set at user level?
E.g. Whole company - policy 1 (password age and length)
Directors - policy 2 (no restriction on password whatsoever)
Will policy 2 be superseded by policy 1 (becasue P1 at higher level)? If so there is no point trying fine grained by me then....,.
E.g. Whole company - policy 1 (password age and length)
Directors - policy 2 (no restriction on password whatsoever)
Will policy 2 be superseded by policy 1 (becasue P1 at higher level)? If so there is no point trying fine grained by me then....,.
Yes, as there is only one password policy valid for domain. Policy1 will always be applying for password settings and policy2 will be never used
Krzysztof
Krzysztof
ASKER
Even with 2008 DC?
Yes, there is only one password policy per domain which you can define over GPO at domain level. The rest (2008 and above DFL) supports Fine-Grained Password policies but they are applied only to users or groups. You cannot assign FGPP at domain level or into an OU
Krzysztof
Krzysztof
ASKER
OK so I guess the way forward is to assign two seperate FGPP, one to Directors group and the other to Stuffs group (which contain everyone apart from Directors). Am I correct?
Just keep the password policy for everyone else, and then create a FGPP for directors. By the way FGPP is a pain to administer in 2008/2008 R2
...you can even put up a 2012 member server and use the new GUI
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/04/new-features-in-active-directory-domain-services-in-windows-server-2012-part-7-fine-grained-password-policy-gui.aspx
Thanks
Mike
...you can even put up a 2012 member server and use the new GUI
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/04/new-features-in-active-directory-domain-services-in-windows-server-2012-part-7-fine-grained-password-policy-gui.aspx
Thanks
Mike
2) Click the Windows "Start" button on your server. Click "Control Panel" and then click "Administrative Tools." In the list of shortcuts, click "Group Policy Editor" to open the GPO configuration console.
3) Click the "Security Settings" icon on the left to expand a list of options. In these options, click the plus sign next to "Account Policies." In this list of options, click "Password Policy." A list of domain password policies is listed in the centre details section.
4) Double-click the policy you want to edit. For instance, if you want to require users to enter a password with a minimum length, double-click "Minimum password length." A dialogue box opens where you change the settings.