Thanks. The reason for this is we have domain level service
accounts for SQL and Exchange, etc. We don't want those to change those
passwords. How do you folks handle these? Thanks for all your
help!
-----Original Message-----
From: Francis Ouellet [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 06, 2005 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Password PolicyYup, and that's the dumbest thing I've said today...or this week. Yeah, this week for sure. Next time I'll actually read my answers twice!/bangs head on deskFrancis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 6 avril 2005 15:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Password PolicyIf it is for domain IDs you should have stopped right here"It's going to be domain"Policy for domain accounts such as password policy, lockout policy, etc, are whole domain or nothing due to the policy effecting changes to values on the domain NC head AD object and then applying to all accounts regardless of hierarchy.It can be overridden by setting specific accounts to never expire but that usually just ends up being a huge security risk.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Wednesday, April 06, 2005 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Password PolicyHi Christine,It's going to be domain wide unless you set certain OUs to block inheritance.Have a look at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/212eb1fd-11f4-465f-b243-73e542d06b2c.mspx for more info!Thanks,Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen
Sent: 6 avril 2005 14:58
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Change Password PolicyHello,We are looking to implement a gpo to force password changes. Is there anyway to restrict who this applies too? Or if I set it for the domain, it's domain wide.Thanks