What? Another "door" scenario? :) Good one though
Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Wednesday, April 13, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements I think you might have misinterpreted the example. It was a bit of a stretch, but use your imagination... :) The resource in the example is the server room. If the server room has more than one door, you would expect them to all abide by the same rules. Thus, regardless of which door you use to get in to that resource, you still have to meet the same criteria. You are talking about domain accounts. It does not matter which machine you are logging into, if you are using a domain account, the policy is the same. Thus, if your super-secret researcher goes to a secretaries computer, he will still log into his own domain, and be bound by the same rules. A domain only allows one set of password policies. That is it. If you want different policies, create another domain. It sucks, but as mentioned, get in line if you want to complain... You can set *workstation* password policies all over the place, but they only apply to accounts created on the local workstation. Tyson. ---------------------------------- Tyson Leslie Senior Network Analyst Colt Engineering Corporation (403) 258-8153 [EMAIL PROTECTED] ---------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Hill Sent: Tuesday, April 12, 2005 1:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements You can link a GPO to an OU with a different set of password requirements than the domain policy -- you can block the OU from inheriting the Default Domain Policy as well, so AFAIK, you can have many OU's, each with different password complexity requirements (or more generally, each OU with it's own computer/user GPO settings). The statement about "you certainly don't want policies attached to 2000 users" also makes no sense -- the GPO is created once, and "attaches itself" to the user or computer as appropriate for the OU... And finally -- let me suggest that were I running Los Alamos, I would want my super-gee-whiz nuclear weapons researches to have complex passwords. I WOULD NOT WANT THEM GOING TO A SECRETARIES COMPUTER AND CHANGING THEIR PASSWORD TO "foo". Passwords are properties of a user, not a computer. Think about this another way -- it is the user that has rights to resources on the network. Those resources may be sensitive, so it really should not matter what computer the user is at when changing their password. That particular users password should always be complex.... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 11, 2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements If I have a rule that says Kurt Hill must know the lock code to the server room, where should I put the lock and set the code? On Kurt Hill, or on the Server Room door? If I put the lock on (with the code) on Kurt, and Kurt goes to the server room, who will validate and enforce the "rule"? I know that analogies are bad, but ..... think about that. The password requirement has to be enforced "somewhere". If it's a domain-wide requirement and you have 2000 users, you certainly don't want the policies "attached" to the users - and created 2000 times..... and have each user check themselves for compliance. You know, that may not be a "bad idea". We can then require that the users zap themselves each time they create non-compliant passwords :) If your beef is the fact that there is only one possible domain-wide or computer-specific password policy, then I say .... welcome to the club, pick a number :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Kurt Hill Sent: Mon 4/11/2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password complexity requirements Can anyone explain why password complexity requirements are a computer, and not a User setting? The scenario I envision for using password complexity requirements is for network admins (Users!!) who I want to force more complex passwords on, but general users (students) do not need this setting. From what I can see, the way MS set it up, I would set password policy on student computers, and admin policy on admin computers, but that means that an admin can go to a student computer and pick a more convenient password!! How does that pass for security?? Any ideas on that one? Thanks, Kurt List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
