I know we've wandered a little of topic here, but to expand on Thor HoGs point:
If you apply a password policy GPO to the domain, it will apply only to accounts authenticated on the domain. If you apply a password policy GPO to an OU (that contains machine accounts), it will apply only to local user accounts created on the machines in that, and subordinate OUs. It has always been said that if you want different password policies for different users you need to put them in different domains, either in the same, or different forests. I believe (but can't test it at the moment) that this annoyance has been addressed in Windows 2008 such that password policies can be applied per OU that will only affect the users accounts in those OUs. Cheers James James D. Stallard, MIoD Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thor (Hammer of God) Sent: 15 August 2007 21:45 To: Bean, John (DSHS); dubaisans dubai; [email protected] Cc: Knowlton, Jay (DSHS/ISSD) Subject: RE: Password complexity - improvement Correct- GPO allows you to specify whether "passwords must meet complexity requirements" or not. But the actual "complexity requirement" itself is dictated by passfilt.dll, which lives on the DC that the user authenticates against when a password is set or changed. If you don't push out your custom passfilt.dll to all controllers, then the "default" passfilt.dll will be used when users change or set passwords on those controllers (the ones not customized). So, in that respect, it's not actually at the "domain level," but rather, at the "controller level." t ------------ veni, vidi, veni denuo > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bean, John (DSHS) > Sent: Wednesday, August 15, 2007 9:25 AM > To: dubaisans dubai; [email protected] > Cc: Knowlton, Jay (DSHS/ISSD) > Subject: RE: Password complexity - improvement > > > > It is my understanding that your request to enforce all four properties > can only be enforced on the domain level. There is no way to have one > password complexity policy on the domain level and a second more > password complexity policy on a child OU. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of dubaisans dubai > Sent: Tuesday, August 14, 2007 11:15 PM > To: [email protected] > Subject: Password complexity - improvement > > Is there a way to improve the password complexity requirements in > Windows 2000/2003 servers > > The default will enforce 3 of the following 4 properties - Uppercase, > smallercase, numbers, special-characters. > > Is there a way to enforce all 4 properties. I donot want to install > third-party software > > I have read about customising passfilt.dll . Is that recommended. Does > MS provide a customised passfilt.dll for download and install. > > Are there any support issues if I go for something like this ? >
