Re: Basic GPO Question

From: Danny Sanders (Danny.Sanders_at_cpcNOmedSPAM.org)
Date: 09/22/04


Date: Wed, 22 Sep 2004 12:41:05 -0600

Password policies are one to a domain.

> I have created a new Policy which enables Password
> Complexity requirements, and linked that new Policy to
> the OU in AD which contains all of the Users and
> Computers (including the Domain Controller computer) for
> that Regional Office.

Password policies applied at the OU level ONLY take affect when logging on
locally to a computer in that OU.

> We have several geographic regional offices, each with
> their own DC. One of our Regional Offices wants to
> implement Strong Passwords (aka Password Complexity
> Requirements).

In order to use a different password policy at this site, you need to create
a different domain at this site.

The reasoning behind the password policy is that if you have resources in a
domain that are sensitive enough to require the more complex password
policy, you would want ALL accounts in that domain to be more secure, not
just a few. If you were able to apply the complex password policy to a few
users and not the entire domain a hacker would not have to crack the complex
password. They would crack one of the "simple" passwords.

It's kind of like putting a dead bolt, a key lock, and a chain lock on the
front door and only a key lock on the back door of your house. If there is
something in your house worth securing with 3 different locks, it's worth
securing all the doors equally.

hth
DDS W 2k MVP MCSE

"Paul U." <anonymous@discussions.microsoft.com> wrote in message
news:01ff01c4a0cb$1f91ca70$a301280a@phx.gbl...
> I have what I would call a relatively simple task I want
> to accomplich but I can't seem to get it to work for
> whatever reason.
>
> We have several geographic regional offices, each with
> their own DC. One of our Regional Offices wants to
> implement Strong Passwords (aka Password Complexity
> Requirements).
>
> I have created a new Policy which enables Password
> Complexity requirements, and linked that new Policy to
> the OU in AD which contains all of the Users and
> Computers (including the Domain Controller computer) for
> that Regional Office.
>
> When I open the "Local Security Policy" shortcut from
> inside Administrative Tools on the DC of that Regional
> Office, it still indicates that the Password Complexity
> setting is undefined.
>
> Do I need to modify the Default Domain Policy or Default
> Domain Controller Policy to define copmplex password
> requirements or is there another policy I need to create
> upstream?
>
> Any help would be much appreciated!
>
> Thanks - Paul U.



Relevant Pages

  • Re: Reasons and examples for security
    ... Roger Abell ... >> "Use passphrases" (with some details tbd relative to retraints ... >> on length minimum and relationship with complexity policy). ...
    (microsoft.public.security)
  • RE: Problem after setting password complexity
    ... change password after you enable "password must meet complexity ... I suggest you configure the password policy under "domain security ... Password must meet complexity requirements Enabled ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: MU team brews its own, cheaper gas
    ... If you're a decision-maker suffering from these acute symptoms it may be time to ask your doctor about Complexity Science: a nascent, interdisciplinary field exploring the structure, behavior and dynamics of complex systems. ... Catalyst's "Forum on Complexity and Transportation Policy," to be held June 15th at the Cosmos Club in Washington, DC is the second of a four-part series exploring the new public policy insights offered by complexity science. ... Catalyst is pleased to feature two of the most highly esteemed individuals in the field of transportation policy today: Dr. Tom Downs and Dr. Carl Simon. ...
    (sci.fractals)
  • Re: Password must meet complexity requirements
    ... I am getting the complexity message. ... The Default Domain Policy must be linked but not enforced. ... (one of the reasons we suggest you never modify the Default Policies ... replicate and see what happens. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Basic GPO Question
    ... I'm pretty new to this Policy "Stuff" so I want to make ... >> Computers (including the Domain Controller computer) ... One of our Regional Offices wants to ... >> implement Strong Passwords (aka Password Complexity ...
    (microsoft.public.win2000.security)