Re: Password Policy for remote users

THank you very much Roger Abell.

"Roger Abell [MVP]" wrote:

Password never expires can be set account by account and this
does exempt the account from the password aging defined in the
Account policies. You cannot alter the blanket policy for such
as complexity.

As to your smart card question
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=smart+card
I do not mention/recommend products by vendor.

"denilia" <denilia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8338511E-6E34-49FD-88CB-D815588566BB@xxxxxxxxxxxxxxxx
So, a feature "password never expires" wll not work? What about to use
different set of GPO policeis for different users/PC OU?

Where I can find additional Info on smart cards? is there any good Vendors
who supply smart cards?

"Roger Abell [MVP]" wrote:

There is only one password policy per domain or per machine.
If you will notice, the account policies are not in the User branch but
in the Computer branch of policies. When set in a GPO linked to the
domain object this controls how DCs enforce policy for all domain
accounts, and this or the highest priority GPO setting account policies
applied to a member govern how all the member enforces the policies
for all machine local accounts.

So, to accomplish your stated objective you would need to either
use multiple domains, use a custom gina, or perhaps look as having
a subset of account required to use smart card for login.

"denilia" <denilia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@xxxxxxxxxxxxxxxx
Hi experts

I would like to get some clarification and advise. I have 2003 domain
with
30 in office users and 10 remote users (VPN only, OWA, POP3). I'm
trying
to
enforce a Password policy for office users only. What is the best way?

I'm planning to to do the following steps:
1. Edit GPO to inforce password policy at user configuration level.
2. Check "password never expires" in the account property for remote
users
3. Change remote users passowrd to more complex.

Is it secure way to do it? how can I enforce to change password on next
logon?
will remote user password ever expire? I do not want those pepople to
be
effected...
I prefer not to crate a separate OU for remote users because I have AD
structured based on peoples roles.

Thank you







.

Relevant Pages

  • Re: Domain Admin account and lockout Policy
    ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
    (microsoft.public.windows.group_policy)
  • Re: Domain Admin account and lockout Policy
    ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
    (microsoft.public.windows.group_policy)
  • Re: Problems testiing GPO for password complexity on OU before changing default domain policy
    ... Account policies are only read at the domain level and you can only have one ... apply to the local machine account policy. ... The complex password policy is applied when I logon to the local machine but not when I logon with a domain user which is a member of the OU and security group within that OU. ...
    (microsoft.public.win2000.active_directory)
  • Re: Security Policy for OU?
    ... domain account the DC authenticates you - not the local SAM. ... applying the policy at a level whereby the domain controllers are not within ... > The account policies for domain users only apply if they are in the ...
    (microsoft.public.windows.server.active_directory)
  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)