Re: Domain vs Domain Controller Security Policy
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 11:25:01 -0600
For domain users password policy can only be set at the domain level and by
default that would be Domain Security Policy. You can use the command net
accounts on a domain controller to see what the password policy [other than
complexity] is. I would also use the support tool gptool run on a domain
controller to see if all operating domain controllers are found and it shows
that Group Policy has the same version number on each domain controller and
if not you could have some sort of a replication problem. Also make sure
that the users in question do not have their user accounts set for "password
never expires" as that would exempt them from maximum password age. You can
use the command net user username on a domain controller to quickly find
that out and when the password was last set. The link below is to the
chapter from the Windows 2003 Server Security Guide for domain policy that
you may find helpful and almost all if not all would apply to W2K
so. --- Steve
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch03.mspx
"Sam" <Sam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D3AB3E6-DB02-4B4A-8D44-CF2D2DDA5E27@xxxxxxxxxxxxxxxx
On a W2K domain, I want to setup password policies. If I enable them in DC
security policy, it doesn't work. It does work through Domain Security
policy
but some users were never foreced to change their password as per policy
of
60 days.
What could be wrong and what are the best practices Domain or Domain
Controller? Do I need to force them? How?
TIA
.
- Prev by Date: Re: Lost Administrator Password
- Next by Date: Re: How can I remove dead SIDS from my file perms and groups that
- Previous by thread: Re: Lost Administrator Password
- Next by thread: Re: How can I remove dead SIDS from my file perms and groups that
- Index(es):
Relevant Pages
|
|
