RE: Group Policy: multiple password policies in the same domain?

From: Kurt Dillard (kurtdill_at_microsoft.com)
Date: 08/31/05

• Previous message: Kurt Dillard: "RE: Active Directory password external use"
• Maybe in reply to: Derick Anderson: "Group Policy: multiple password policies in the same domain?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 31 Aug 2005 10:53:42 -0700
To: "Derick Anderson" <danderson@vikus.com>, <focus-ms@securityfocus.com>

Right now, there can only be 1 password policy for each account
database, so all accounts in the domain will be subject to the domain's
policy. If you define unique policy for OUs those settings will only
affect the local accounts on the servers in scope of that GPO.

Kurt

-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Wednesday, August 31, 2005 4:32 AM
To: focus-ms@securityfocus.com
Subject: Group Policy: multiple password policies in the same domain?

I'm trying to lock down some domain "service" accounts (backup,
Exchange, SQL Server, Scheduled Tasks, etc.) where I work. We're an
application service provider (web-based) and we have only one domain at
the moment (sigh), shared by our production servers (big sigh) on the
same physical network (very big sigh). Our web application must run as a
domain account (throws up hands in exasperation).

Splitting the domain into production and non-production is in the works
but will realistically be at least a couple months away. In the mean
time I'm trying to enforce stronger passwords for service accounts like
those I mentioned above but I'm having problems using Group Policy to
specify that service accounts have a certain password policy while
regular users have another. I believe the problem is that password
policies are computer based instead of user based, so I can't specify
that specific users have one set of password policies while others have
a different one.

Would applying the policy to a specific set of computers affect only the
local accounts on those computers, or the entire domain? My theory is
that only the password policy on the domain controllers would affect
domain passwords, but I'd love to hear differently.

Any help would be appreciated.

Thanks,

Derick Anderson

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

---

• Previous message: Kurt Dillard: "RE: Active Directory password external use"
• Maybe in reply to: Derick Anderson: "Group Policy: multiple password policies in the same domain?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Group Policy: multiple password policies in the same domain? ... Subject: Group Policy: multiple password policies in the same ... service accounts, and our company must be SAS70 type-II certified. ... (Focus-Microsoft) Re: Password Policy Basics ... set up a password policy via Group Policy, ... change only the DOMAIN login accounts, not all the local accounts too. ... But what local service accounts do you have? ... For this option NEVER use an Administrator account for service accounts or configuration tasks, create for your service accounts always new accounts without a profile and only the minimum rights for that service and a really strong password, that you have to save on a secure plcae. ... (microsoft.public.windows.group_policy) RE: Group Policy: multiple password policies in the same domain? ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ... (Focus-Microsoft) Re: Password Policy Basics ... but assumed the POLICY would be applied to ALL ... so lcoal machines might start enforcing that policy on ... No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states. ... I was thinking of service accounts on the servers... ... (microsoft.public.windows.group_policy) RE: Group Policy: multiple password policies in the same domain? ... the policy is just ignored. ... Subject: Group Policy: multiple password policies in the same domain? ... I'm trying to lock down some domain "service" accounts (backup, ... time I'm trying to enforce stronger passwords for service accounts like ... (Focus-Microsoft)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)