Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 89
  • Last Modified:

2 questions Microsoft 2012 Server Essentials Small Business Server

Is it possible to use this as a workgroup and Not as a domain?

Second is it possible and if so how to reduce the password security to less that 7 ?
0
kaman40
Asked:
kaman40
  • 3
  • 3
  • 2
  • +3
1 Solution
 
Cliff GaliherCommented:
1) No. The Essentials SKU must be a domain controller and hold all FSMO roles.
2) Standard group policies apply here. Just edit the default domain policy to meet your needs. Not that I *ever* recommend weak passwords. 7 characters is not a lot and can often be rainbow tabled faster than it takes to pour a cup of coffee.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Agree with Cliff and I think he meant to say "...*Never* recommend weak passwords."

I consider it foolish to do so - train your users.  Complex passwords are not hard with some simple rules...
0
 
David AtkinIT ProfessionalCommented:
Not really sure why you'd want to do this unless you're client OS's aren't Pro editions?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Cliff GaliherCommented:
C'mon Lee. "Not that I never" would be a double negative!  "Not that I ever recommend" is proper grammar in that instance and equates to "I never recommend" in context.  

Or we can debate the nuances of double negatives at summit in a few short months.  *evil grin*
1
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I misread - on my screen Not is on the previous line and I guess my skimming made that look different... <g>
0
 
kaman40Author Commented:
LOL thanks guys, It's just a weird setup and the owner of the system has had his system as a workgroup for 7 years running server 2003 and he had to buy the cals etc. The 2012 version has 25 users w/o cals etc. and he just didn't want to have the strict rules of this domain controller.  He is actually an isolated system so the strict pw are really necessary for this application, nor profiles etc.
0
 
kaman40Author Commented:
sorry meant to say unnecessary
0
 
Adam BrownSr Solutions ArchitectCommented:
You have to have CALs for Windows Server even if it's a workgroup. Doing *anything* with a Windows server requires CALs. That includes DNS, DHCP, and file storage. So if he has Windows versions that allow domain joining, get them on the domain. It makes things way way easier.

At any rate, 2012 Essentials does need to be a domain controller, and as such, to change the password requirements for users on the server is to create a GPO that modifies the password settings requirements and link it to the domain (Or you can use Fine Grained Password Policy). You can drop the minimum length down to 7 (or 0, actually) and disable complexity if you want to. The policy just won't apply to the domain users unless it's linked directly to the domain itself.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Let me correct Adam Brown on this...

Server 2012 Essentials does NOT need CALS ever.  

Let me also correct Dave Atkin...

It doesn't matter if workstations are Pro or Home version with Server 2012 Essentials -- any version of Windows can join an Essentials domain.

To change the password policy (even though none of us recommend doing this), follow these steps:

1.  Open the Windows Server Essentials Dashboard, and then click Users.
2.  In the Users Tasks pane, click Set the password policy.
3.  On the Change the Password Policy screen, set the level of password strength by moving the slider.
4.  Click Change policy.
2
 
Adam BrownSr Solutions ArchitectCommented:
Just an FYI (because this seems to be a very common myth about windows passwords):
7 characters is not a lot and can often be rainbow tabled faster than it takes to pour a cup of coffee

This is only true if you're using a version of windows prior to Vista (XP and earlier) and haven't disabled storage of LM hashes. Since 2008 and Vista came out, LM hashes aren't stored by default. Those are the ones that have the full rainbow table mapped out in something the size of a CD. NT Hashes (Which use MD4) aren't nearly as thoroughly mapped, and the full rainbow table for up to 7 characters is 52GB or more.  If you have 8 characters, the rainbow tables are 460GB for the full keyspace. The rainbow tables available for NT hashing above 9 characters only include alpha-numeric characters with mixed case. Once you pass 10 characters, good luck finding a rainbow table that will fit on the average hard drive (also, the only tables available are alpha-numeric, lower case only).

You can't actually get the hash for a domain account from anything other than the Domain Controller. Workstations don't store it. Using Cached credentials on a Domain Joined computer actually stores a "validation" package that doesn't use NT or LM hashing. It uses a much more secure method, and cached credentials can't be used to authenticate against anything in the Domain. Rainbow tables on workstations will only get you local account access to the computer. You can't get domain access using a rainbow table unless you're able to log in to the DC with System level access, which means everything's pretty much broken anyway, and why do you need a Rainbow table if you have System account level access to the AD Database already? https://technet.microsoft.com/en-us/library/hh994565(v=ws.11).aspx for reference.
1
 
Adam BrownSr Solutions ArchitectCommented:
Server 2012 Essentials does NOT need CALS ever.  

Did not know that. Thanks for the info :D
0
 
David AtkinIT ProfessionalCommented:
Thanks Jeffrey, I tried deleting my comment once I realised it was Essentials.  I was about a minute too late after Lee's comment.
0
 
kaman40Author Commented:
Thank you that was the best and most precise answer. I wasn't sure about the domain as I was questioning whether there was a registry hack to change to workgroup.  This is a small office and the basic premise was a workgroup is fine and he doesn't need the level of security a domain provides. Everything is currently on 2003 server but just as a data storage. There is only one main file and it is just mapped to each workstation.  The sole purpose was upgrading to a larger server that can handle more memory and storage and keep the system as it is.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now