RE: Group Policy: multiple password policies in the same domain?

From: Derick Anderson (danderson_at_vikus.com)
Date: 08/31/05

  • Next message: Matthew Farrenkopf: "Re: Active Directory password external use" 
    Date: Wed, 31 Aug 2005 10:47:49 -0400
To: <focus-ms@securityfocus.com>

    > -----Original Message-----
    > From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
    > Sent: Wednesday, August 31, 2005 10:26 AM
    > To: Derick Anderson; focus-ms@securityfocus.com
    > Subject: RE: Group Policy: multiple password policies in the
    > same domain?
    >
    > Domain Wide Password policies cannot be blocked by OU
    > Policies. With that in mind you should look at creating an
    > OU and setting up a GPO with Password Policies there rather
    > than on the top level domain. Drop your service accounts
    > into the OU and they will take on the the applied GPO.
    >
    > Because you have no other password policy set on the top
    > level domain name, your "other" users will be unaffected.
    >
    > I believe that should do it. But then again. I haven't
    > tested it or ever implemented it to confirm. Check it out.
    >
    > JMB

    I've tried this and the end result is that the policy is undefined.
    Someone else mentioned that it would only affect local accounts (local
    security policy overridden by Group Policy). Since domain controllers
    have no local accounts, it would make sense (unfortunately for me) that
    whatever password policy the domain controllers were given would
    determine the domain password policy. The service accounts I want to
    harden are domain accounts, not local ones. I can't use local accounts
    because some of them must transfer data from one machine to the other.

    I've tried using Group Policy modeling with security filtering (i.e.,
    apply only to 'service accounts' group), and that is not applied. If I
    add 'Domain Computers' to that list then it applies but conflicts with
    the domain password policy and nothing is set. I don't understand how
    applying it to specific servers will affect domain user accounts but
    that is one thing I have yet to try.

    Also thanks to those people who've mailed me off-list for your replies.

    Derick Anderson

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Matthew Farrenkopf: "Re: Active Directory password external use"

    Relevant Pages

    • Re: A policy to override the default domain policy?
      ... if he has an overriding GPO set at the OU level for the server that ... for local accounts though and might also override other domain level ... All domain accounts will use the domain password policy ...
      (microsoft.public.win2000.group_policy)
    • RE: Windows 2000 password policy
      ... a system part of the domain and then use local accounts to access it. ... users will exempt the administrator account from regular ... password policies at the OU level still ...
      (Focus-Microsoft)
    • Re: Help on Account Lockout
      ... you can indeed set a password policy at the OU level. ... not affect your domain user account objects. ... accounts on any machines that might reside directly in that OU, ... All other definitions apply to the local accounts. ...
      (microsoft.public.win2000.active_directory)
    • RE: Group Policy: multiple password policies in the same domain?
      ... There can be only one password policy for the domain. ... Subject: Group Policy: multiple password policies in the same domain? ... I'm trying to lock down some domain "service" accounts (backup, ... time I'm trying to enforce stronger passwords for service accounts like ...
      (Focus-Microsoft)
    • RE: Group Policy: multiple password policies in the same domain?
      ... Password policies for accounts stored in Active Directory can *only* be set ... the computers within the OU in question. ... My theory is that only the password policy on ...
      (Focus-Microsoft)