Re: domain security policy

Roger, thanks for your details info

Patrick

"Roger Abell [MVP]" wrote:

You could address your requirements completely if you were
running a Windows 2008 domain. With the Windows 2000
domain that you have there is no way to do this.

On a per-account basis you can set some account to have their
passwords never expire (which most people do for service
accounts, but which may not be the best of ideas).

The other policies you have mentioned are always applied to
all accounts of the domain and must be set in a GPO linked to
the domain object. When the policies are set in a GPO linked
to an OU, as you outlined/hypothesized, those policies will only
apply for machine local accounts on computers in the OU (they
will have zero impact on domain accounts).

I noticed that you particularly wanted to exempt admins from
the impact of the policies. I will just note that it is precisely
the more powerful accounts that you ought want forced into
use of better password practices.

Roger

"Patrick" <Patrick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F49EB9FC-BD85-4504-A0A0-E48994398E56@xxxxxxxxxxxxxxxx
Thanks all your help.

I want to setup a security policy on Windows 2000 domain environment to
enforce general user to change their password every 3 months and something
like enforce password history, a/c lock out.

I have the following question:
- Is it applied to all domain users inclued "Domain Administrator"?
- How can exclude some of users like "Domain Administrator" and some
services a/c of above setting?
- If I set these policy in a new created OU level and move geneal user
computer object to this OU (not server and DC object), am I right that the
policy will only apply to these computer.
- What is the best prastice to apply these domain security setting?

Thanks for your help.

Patrick





.

Relevant Pages