RE: Group Policy: multiple password policies in the same domain?

From: Depp, Dennis M. (deppdm_at_ornl.gov)
Date: 08/31/05

  • Next message: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?" 
    Date: Wed, 31 Aug 2005 10:18:18 -0400
To: Derick Anderson <danderson@vikus.com>, focus-ms@securityfocus.com

    There can be only one password policy for the domain.

    Dennis

    -----Original Message-----
    From: Derick Anderson [mailto:danderson@vikus.com]
    Sent: Wednesday, August 31, 2005 7:32 AM
    To: focus-ms@securityfocus.com
    Subject: Group Policy: multiple password policies in the same domain?

    I'm trying to lock down some domain "service" accounts (backup,
    Exchange, SQL Server, Scheduled Tasks, etc.) where I work. We're an
    application service provider (web-based) and we have only one domain at
    the moment (sigh), shared by our production servers (big sigh) on the
    same physical network (very big sigh). Our web application must run as a
    domain account (throws up hands in exasperation).

    Splitting the domain into production and non-production is in the works
    but will realistically be at least a couple months away. In the mean
    time I'm trying to enforce stronger passwords for service accounts like
    those I mentioned above but I'm having problems using Group Policy to
    specify that service accounts have a certain password policy while
    regular users have another. I believe the problem is that password
    policies are computer based instead of user based, so I can't specify
    that specific users have one set of password policies while others have
    a different one.

    Would applying the policy to a specific set of computers affect only the
    local accounts on those computers, or the entire domain? My theory is
    that only the password policy on the domain controllers would affect
    domain passwords, but I'd love to hear differently.

    Any help would be appreciated.

    Thanks,

    Derick Anderson

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"

    Relevant Pages

    • Re: Password policy at the OU level
      ... password policy is enforced at the domain controllers. ... How do I handle service accounts? ... >>within a GPO linked to the domain level only. ...
      (microsoft.public.windows.group_policy)
    • Re: SOX compliant .. different password policy need for privil
      ... I am curious to know if once a forest and a root domain is created, ... have the password policy for the new ... match the existing domain, move all user accounts to the new domain, ... and keep the privileged accounts in the existing domain (after all ...
      (microsoft.public.win2000.active_directory)
    • Re: SOX compliant .. different password policy need for privil
      ... have the password policy for the new domain ... the password policy on the forest root domain to meet the SOX ... and force all administrative accounts to reset their passwords under the ... policy for all privilege accounts however our Win2003 forest consist ...
      (microsoft.public.win2000.active_directory)
    • RE: Group Policy: multiple password policies in the same domain?
      ... > Domain Wide Password policies cannot be blocked by OU ... Someone else mentioned that it would only affect local accounts (local ... whatever password policy the domain controllers were given would ...
      (Focus-Microsoft)
    • RE: Group Policy: multiple password policies in the same domain?
      ... Password policies for accounts stored in Active Directory can *only* be set ... the computers within the OU in question. ... My theory is that only the password policy on ...
      (Focus-Microsoft)