RE: Windows 2000 password policy

From: Chris Carlson (OTG) (ccarls_at_microsoft.com)
Date: 06/24/03

  • Next message: Jim Barrett: "RE: Windows 2000 password policy" 
    Date: Tue, 24 Jun 2003 10:31:36 -0700
To: "Andre Conde Caselli" <ACaselli@aliancadobrasil.com.br>, "Jim Barrett" <jimb@ins.com>, "hong li" <hong_li_98@yahoo.com>, <focus-ms@securityfocus.com>

    Jim, I think I understand where you were going with your statement I just meant to say I don't really agree with the wording and I want to make sure it is understood how the mechanism works. :-)
     
    Andre, let me include a snip from the support article I included, and I have tested this:
     
    There is an exception to this rule. You can configure another account policy for an organizational unit. The account policy settings for the organizational unit affect the local policy on any computers contained within that organizational unit. For example, if a Windows 2000-based workstation is in an organizational unit named OU1, an administrator could create a Group Policy object for OU1, and specify an account policy that is different from that of the default domain policy. In this case, when a user logs on to the domain, the account policy settings from the default domain policy are in place. When a user logs on locally to the Windows 2000-based workstation, the local account policy as defined by the Group Policy object for OU1 is used.
     
    Thanks,
    -Chris

    ________________________________

    From: Andre Conde Caselli [mailto:ACaselli@aliancadobrasil.com.br]
    Sent: Tue 6/24/2003 8:03 AM
    To: Jim Barrett; Chris Carlson (OTG); hong li; focus-ms@securityfocus.com
    Subject: RES: Windows 2000 password policy

    Hi Chris,

            Password policy is a domain property and can be placed only at Default domain policy or in a new policy at Domain Level.

                    Regards

    André Conde Caselli
    Tel. 0xx1138882598
    ------------------------------------------------------
    Comunicação corporativa da Aliança do Brasil

    -----Mensagem original-----
    De: Jim Barrett [mailto:jimb@ins.com]
    Enviada em: terça-feira, 24 de junho de 2003 08:59
    Para: 'Chris Carlson (OTG)'; 'hong li'; focus-ms@securityfocus.com
    Assunto: RE: Windows 2000 password policy

    Okay, I stand corrected on that issue, but realistically I have never seen that sort of thing in the real world. One generally does not make a system part of the domain and then use local accounts to access it.

    One of the first things that I look for on a security audit is local accounts on critical systems. Besides the required administrator account, the only local accounts on a machine should be service accounts required by an application running on that box that for some reason or other cannot use a domain based system account.

    One could also make the argument that you need local accounts to work on the system should connectivity to the domain controller be severed due to a faulty WAN link. In that instance, since W2K machines cache local credentials, a user can still log onto a system with no connectivity to the domain provided that they have successfully logged on there before. Additionally, if access to the system is critical, then a local DC can provide the necessary fault tolerance.

    Local accounts are much easier to compromise than domain accounts, thus my recommendation is to strictly limit them. As for the necessary administrator account, while password policies can be applied, generally, users will exempt the administrator account from regular password changes, and account lockout cannot be applied to the built-in administrator.

    Jim Barrett, MCSE, CISSA, CISSP, CCNP
    Principal Consultant
    International Network Services
    Boston, MA

    -----Original Message-----
    From: Chris Carlson (OTG) [mailto:ccarls@microsoft.com]
    Sent: Tuesday, June 24, 2003 2:23 AM
    To: Jim Barrett; hong li; focus-ms@securityfocus.com
    Subject: RE: Windows 2000 password policy

    >You will see the options for setting password policy in the OU GPO, but
    >changes there will not affect anything.

    I wouldn't necessarily say that, password policies at the OU level still apply to the local security accounts.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;255550

    -Chris

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

  • Next message: Jim Barrett: "RE: Windows 2000 password policy"

    Relevant Pages

    • Re: pro evo 5 problems
      ... What happens when you attempt to install Service Pack 2? ... Jim Wrote: ... When i went to the windows update that you suggested I ...
      (microsoft.public.windowsxp.games)
    • Re: Wont Open in New Window
      ... Did you ever check into updating your repair script with some extra regsvr32 ... "Jim Byrd" wrote: ... In Windows Me, you will need to boot from a floppy in order ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: completely lost: nothing is working properly
      ... Hello Jim, last night I decided to buy a new windows xp liecnce.. ... dell) xp home sp2. ... tried the format and install ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Getting Started on the Mac
      ... don't try to copy the project file. ... >Jim Klein wrote: ... >> I just ordered Winteracter for the Mac. ... >> a CVF/Winteracter optical design program from Windows to the Mac. ...
      (comp.lang.fortran)
    • Re: Format of Linux Drive to XP????
      ... You're most welcome Jim. ... >>> Associate Expert - WindowsXP Expert Zone ... >>> Windows help - www.rickrogers.org ... Linux drive from the machine. ...
      (microsoft.public.windowsxp.basics)