Re: Password Policy for remote users

Password never expires can be set account by account and this
does exempt the account from the password aging defined in the
Account policies. You cannot alter the blanket policy for such
as complexity.

As to your smart card question
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=smart+card
I do not mention/recommend products by vendor.

"denilia" <denilia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8338511E-6E34-49FD-88CB-D815588566BB@xxxxxxxxxxxxxxxx
So, a feature "password never expires" wll not work? What about to use
different set of GPO policeis for different users/PC OU?

Where I can find additional Info on smart cards? is there any good Vendors
who supply smart cards?

"Roger Abell [MVP]" wrote:

There is only one password policy per domain or per machine.
If you will notice, the account policies are not in the User branch but
in the Computer branch of policies. When set in a GPO linked to the
domain object this controls how DCs enforce policy for all domain
accounts, and this or the highest priority GPO setting account policies
applied to a member govern how all the member enforces the policies
for all machine local accounts.

So, to accomplish your stated objective you would need to either
use multiple domains, use a custom gina, or perhaps look as having
a subset of account required to use smart card for login.

"denilia" <denilia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@xxxxxxxxxxxxxxxx
Hi experts

I would like to get some clarification and advise. I have 2003 domain
with
30 in office users and 10 remote users (VPN only, OWA, POP3). I'm
trying
to
enforce a Password policy for office users only. What is the best way?

I'm planning to to do the following steps:
1. Edit GPO to inforce password policy at user configuration level.
2. Check "password never expires" in the account property for remote
users
3. Change remote users passowrd to more complex.

Is it secure way to do it? how can I enforce to change password on next
logon?
will remote user password ever expire? I do not want those pepople to
be
effected...
I prefer not to crate a separate OU for remote users because I have AD
structured based on peoples roles.

Thank you






.

Relevant Pages

  • Re: OU group policy and how to use ldapsearch to find GPO settings
    ... The account is a domain account. ... Account Policies effective for all domain accounts. ... Your ldap query is seeing the settings that are in use for the domain. ... If I configure the account lockout policy in the default domain policy, ...
    (microsoft.public.windows.group_policy)
  • Re: Password Policy for remote users
    ... Account policies. ... You cannot alter the blanket policy for such ... the account policies are not in the User branch but ... a subset of account required to use smart card for login. ...
    (microsoft.public.security)
  • Re: Password Policy for remote users
    ... There is only one password policy per domain or per machine. ... accounts, and this or the highest priority GPO setting account policies ... Change remote users passowrd to more complex. ...
    (microsoft.public.security)
  • Re: Password Policy - .net Server
    ... It sounds like you have included the domain linked GPOs. ... Account policies control properties for all domain accounts, ...
    (microsoft.public.win2000.group_policy)
  • Re: Password Policy - .net Server
    ... It sounds like you have included the domain linked GPOs. ... Account policies control properties for all domain accounts, ...
    (microsoft.public.windows.group_policy)