RE: [ActiveDir] Password policy scenerio

[Ulf B. Simon-Weidner]

Title: Message








Hi Steve,



still the same, no matter
what OS, Forest or Domain Mode or SP.





Gruesse - Sincerely,



Ulf B. Simon-Weidner













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Wednesday, September 01,
2004 4:07 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Password
policy scenerio







Is this the same as Windows 2003 Native Domain?







- Original Message - 





From: Coleman, Hunter






To: '[EMAIL PROTECTED]' 





Sent:
Tuesday, August 31, 2004 8:32 PM





Subject:
RE: [ActiveDir] Password policy scenerio









Password policies are
domain-wide, so you can only have one per domain. If you have different
requirements within a domain, you'll have to settle for voluntary compliance or
carve off a separate domain.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236



Hunter









From:
Steve Schofield [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 31, 2004
6:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password
policy scenerio



I have a question on password policy and get people's
input. From what i read, most people or things I've read implement their
password policy using the Default Domain Policy or a custom policy with this
linked to the Top of the domain.There is some existing password
settings in the Default Domain Policy but these aren't the settings I want to
apply to my Persons OU. I want to create a custom policy with the correct
password settings then link to the Persons OU. I've went ahead and
done this and experiencing un-expected results. 











By default the Default Domain Policy is inherited on
the Persons OU. then i have the custom Password Policy linked to this
OU. I hate to have to implement the password at the top of the domain
cause this could cause issues in the domain for other user accounts outside the
Persons OU. I've created, linked acustom Password
Policy to the Persons OU. when I do a gpresult, the custom Password
policy processes after the Default Domain Policy. When I do gpresult,
says all policies appliedbut the Default Domain Policy was currently
setup to allow zero length passwords. I want to implement a 6 length
minimum but it still allows people to have zero-lengthed policy when changing
their password on a workstation in this domin. I don't want to put the
authenticated users (in the filtered list of the GPO) in the custom password
policy that is linked to the Persons OU until I get expected results with a few
machines and test users. Would I have to , in the filtered list of the
custom password policy, the userID and machine they are logging into to insure
the custom password policy is applied. Currently people can reset their password
to zero length. I'm missing the obvious but would appreciate input.
Sorry for the long post but wanted to share what i've done so far. 











Steve

RE: [ActiveDir] Password policy scenerio

[Perdue David J Contr InDyne/Enterprise IT]

Title: Message



Check out Password Policy Enforcer. I think it has 
the ability to create different policies based on group memebership within the 
same domain.

Dave



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Wednesday, September 01, 2004 11:21 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Password policy scenerio


Hi 
Steve,

still the same, no 
matter what OS, Forest or Domain Mode or SP.


Gruesse - 
Sincerely,

Ulf B. 
Simon-Weidner





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Steve 
SchofieldSent: Wednesday, 
September 01, 2004 4:07 AMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Password policy 
scenerio


Is this the same as Windows 2003 
Native Domain?

  
  - Original Message - 
  
  
  From: Coleman, Hunter 
  
  
  To: '[EMAIL PROTECTED]' 
  
  
  Sent: Tuesday, August 31, 2004 8:32 
  PM
  
  Subject: RE: [ActiveDir] Password policy 
  scenerio
  
  
  Password policies are 
  domain-wide, so you can only have one per domain. If you have different 
  requirements within a domain, you'll have to settle for voluntary compliance 
  or carve off a separate domain.
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
  
  Hunter
  
  
  
  
  From: Steve Schofield 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 31, 2004 6:11 
  PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Password policy 
  scenerio
  
  I have a question on password 
  policy and get people's input. From what i read, most people or things 
  I've read implement their password policy using the Default Domain Policy or a 
  custom policy with this linked to the Top of the domain.There is 
  some existing password settings in the Default Domain Policy but these aren't 
  the settings I want to apply to my Persons OU. I want to create a custom 
  policy with the correct password settings then link to the Persons 
  OU. I've went ahead and done this and experiencing un-expected 
  results. 
  
  
  
  By default the Default Domain 
  Policy is inherited on the Persons OU. then i have the custom Password 
  Policy linked to this OU. I hate to have to implement the password at 
  the top of the domain cause this could cause issues in the domain for other 
  user accounts outside the Persons OU. I've created, linked 
  acustom Password Policy to the Persons OU. when I do a gpresult, 
  the custom Password policy processes after the Default Domain Policy. 
  When I do gpresult, says all policies appliedbut the Default Domain 
  Policy was currently setup to allow zero length passwords. I want to 
  implement a 6 length minimum but it still allows people to have zero-lengthed 
  policy when changing their password on a workstation in this domin. I 
  don't want to put the authenticated users (in the filtered list of the GPO) in 
  the custom password policy that is linked to the Persons OU until I get 
  expected results with a few machines and test users. Would I have to , 
  in the filtered list of the custom password policy, the userID and machine 
  they are logging into to insure the custom password policy is applied. 
  Currently people can reset their password to zero length. I'm missing 
  the obvious but would appreciate input. Sorry for the long post but 
  wanted to share what i've done so far. 
  
  
  
  Steve

RE: [ActiveDir] Password policy scenerio

[Coleman, Hunter]

Title: Message



Password policies are domain-wide, so you can only have one 
per domain. If you have different requirements within a domain, you'll have to 
settle for voluntary compliance or carve off a separate 
domain.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236

Hunter


From: Steve Schofield [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 31, 2004 6:11 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Password policy 
scenerio

I have a question on password policy and get 
people's input. From what i read, most people or things I've read 
implement their password policy using the Default Domain Policy or a custom 
policy with this linked to the Top of the domain.There is some 
existing password settings in the Default Domain Policy but these aren't the 
settings I want to apply to my Persons OU. I want to create a custom 
policy with the correct password settings then link to the Persons 
OU. I've went ahead and done this and experiencing un-expected 
results. 

By default the Default Domain Policy is inherited 
on the Persons OU. then i have the custom Password Policy linked to this 
OU. I hate to have to implement the password at the top of the domain 
cause this could cause issues in the domain for other user accounts outside the 
Persons OU. I've created, linked acustom Password Policy 
to the Persons OU. when I do a gpresult, the custom Password policy 
processes after the Default Domain Policy. When I do gpresult, says all 
policies appliedbut the Default Domain Policy was currently setup to allow 
zero length passwords. I want to implement a 6 length minimum but it still 
allows people to have zero-lengthed policy when changing their password on a 
workstation in this domin. I don't want to put the authenticated users (in 
the filtered list of the GPO) in the custom password policy that is linked to 
the Persons OU until I get expected results with a few machines and test 
users. Would I have to , in the filtered list of the custom password 
policy, the userID and machine they are logging into to insure the custom 
password policy is applied. Currently people can reset their password to zero 
length. I'm missing the obvious but would appreciate input. Sorry 
for the long post but wanted to share what i've done so far. 

Steve

Re: [ActiveDir] Password policy scenerio

[Steve Schofield]

Title: Message



Is this the same as Windows 2003 Native 
Domain?

  - Original Message - 
  From: 
  Coleman, 
  Hunter 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Tuesday, August 31, 2004 8:32 
  PM
  Subject: RE: [ActiveDir] Password policy 
  scenerio
  
  Password policies are domain-wide, so you can only have 
  one per domain. If you have different requirements within a domain, you'll 
  have to settle for voluntary compliance or carve off a separate 
  domain.
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q269236
  
  Hunter
  
  
  From: Steve Schofield [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, August 31, 2004 6:11 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Password policy 
  scenerio
  
  I have a question on password policy and get 
  people's input. From what i read, most people or things I've read 
  implement their password policy using the Default Domain Policy or a custom 
  policy with this linked to the Top of the domain.There is some 
  existing password settings in the Default Domain Policy but these aren't the 
  settings I want to apply to my Persons OU. I want to create a custom 
  policy with the correct password settings then link to the Persons 
  OU. I've went ahead and done this and experiencing un-expected 
  results. 
  
  By default the Default Domain Policy is inherited 
  on the Persons OU. then i have the custom Password Policy linked to this 
  OU. I hate to have to implement the password at the top of the domain 
  cause this could cause issues in the domain for other user accounts outside 
  the Persons OU. I've created, linked acustom Password 
  Policy to the Persons OU. when I do a gpresult, the custom Password 
  policy processes after the Default Domain Policy. When I do gpresult, 
  says all policies appliedbut the Default Domain Policy was currently 
  setup to allow zero length passwords. I want to implement a 6 length 
  minimum but it still allows people to have zero-lengthed policy when changing 
  their password on a workstation in this domin. I don't want to put the 
  authenticated users (in the filtered list of the GPO) in the custom password 
  policy that is linked to the Persons OU until I get expected results with a 
  few machines and test users. Would I have to , in the filtered list of 
  the custom password policy, the userID and machine they are logging into to 
  insure the custom password policy is applied. Currently people can reset their 
  password to zero length. I'm missing the obvious but would appreciate 
  input. Sorry for the long post but wanted to share what i've done so 
  far. 
  
  Steve

RE: [ActiveDir] Password policy scenerio

[Daniel Gilbert]

Title: Message








Steve,



Creating a password policy and linking it
to an OU will affect local accounts only. So, if I understood your post
correctly, a domain user can have a zero length password, but if they wanted to
create or reset a local account say, on a workstation, they will need to meet
the six character password requirement.



Remember, different password policies for
different users is one of the few reasons to have a separate domain.



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Tuesday, August 31, 2004
5:11 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password
policy scenerio







I have a question on password policy and get people's
input. From what i read, most people or things I've read implement their
password policy using the Default Domain Policy or a custom policy with this
linked to the Top of the domain.There is some existing password
settings in the Default Domain Policy but these aren't the settings I want to
apply to my Persons OU. I want to create a custom policy with the correct
password settings then link to the Persons OU. I've went ahead and
done this and experiencing un-expected results. 











By default the Default Domain Policy is inherited on the
Persons OU. then i have the custom Password Policy linked to this
OU. I hate to have to implement the password at the top of the domain cause
this could cause issues in the domain for other user accounts outside the
Persons OU. I've created, linked acustom Password
Policy to the Persons OU. when I do a gpresult, the custom Password
policy processes after the Default Domain Policy. When I do gpresult,
says all policies appliedbut the Default Domain Policy was currently
setup to allow zero length passwords. I want to implement a 6 length
minimum but it still allows people to have zero-lengthed policy when changing
their password on a workstation in this domin. I don't want to put the
authenticated users (in the filtered list of the GPO) in the custom password
policy that is linked to the Persons OU until I get expected results with a few
machines and test users. Would I have to , in the filtered list of the
custom password policy, the userID and machine they are logging into to insure
the custom password policy is applied. Currently people can reset their
password to zero length. I'm missing the obvious but would appreciate input.
Sorry for the long post but wanted to share what i've done so far. 











Steve