Re: Basic GPO Question

From: Danny Sanders (Danny.Sanders_at_cpcNOmedSPAM.org)
Date: 09/22/04


Date: Wed, 22 Sep 2004 12:41:05 -0600

Password policies are one to a domain.

> I have created a new Policy which enables Password
> Complexity requirements, and linked that new Policy to
> the OU in AD which contains all of the Users and
> Computers (including the Domain Controller computer) for
> that Regional Office.

Password policies applied at the OU level ONLY take affect when logging on
locally to a computer in that OU.

> We have several geographic regional offices, each with
> their own DC. One of our Regional Offices wants to
> implement Strong Passwords (aka Password Complexity
> Requirements).

In order to use a different password policy at this site, you need to create
a different domain at this site.

The reasoning behind the password policy is that if you have resources in a
domain that are sensitive enough to require the more complex password
policy, you would want ALL accounts in that domain to be more secure, not
just a few. If you were able to apply the complex password policy to a few
users and not the entire domain a hacker would not have to crack the complex
password. They would crack one of the "simple" passwords.

It's kind of like putting a dead bolt, a key lock, and a chain lock on the
front door and only a key lock on the back door of your house. If there is
something in your house worth securing with 3 different locks, it's worth
securing all the doors equally.

hth
DDS W 2k MVP MCSE

"Paul U." <anonymous@discussions.microsoft.com> wrote in message
news:01ff01c4a0cb$1f91ca70$a301280a@phx.gbl...
> I have what I would call a relatively simple task I want
> to accomplich but I can't seem to get it to work for
> whatever reason.
>
> We have several geographic regional offices, each with
> their own DC. One of our Regional Offices wants to
> implement Strong Passwords (aka Password Complexity
> Requirements).
>
> I have created a new Policy which enables Password
> Complexity requirements, and linked that new Policy to
> the OU in AD which contains all of the Users and
> Computers (including the Domain Controller computer) for
> that Regional Office.
>
> When I open the "Local Security Policy" shortcut from
> inside Administrative Tools on the DC of that Regional
> Office, it still indicates that the Password Complexity
> setting is undefined.
>
> Do I need to modify the Default Domain Policy or Default
> Domain Controller Policy to define copmplex password
> requirements or is there another policy I need to create
> upstream?
>
> Any help would be much appreciated!
>
> Thanks - Paul U.