Re: Windows 2003 domain password policy
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 26 Sep 2006 19:28:46 -0700
There is only one password policy per domain, always set in a GPO
linked to the domain object.
If you need different policies within one domain you would need to
have a custom Gina in use. For some cases where people do want
different policies, use of required smart card login for the few for
which higher password control was desired can turn out to be a
usable alternative.
Personally, I like to leave the two default GPOs alone, implementing
policy via newly defined GPOs (not necessarily defined for just some
singular purpose). This allows reset of the default GPOs without
concern of that action's impact. The use or not of the default GPOs
to carry custom policy settings is likely, largely a stylistic preference.
"John Smith" <nzsms@xxxxxxxxxxx> wrote in message
news:eJ4hJfd4GHA.3556@xxxxxxxxxxxxxxxxxxxxxxx
Can we have 2 sets of domain password policy? Or we can use Block Policy
Inheritance and Disable No Override option to achieve this.
Any suggestion for best Domain Password Policy pratice? Modify the default
Domain Policy GPO or create a new Password GPO and linked to the root
container?
If we implement a secure password policy now, what may happen to the
existing users? Are they offered a chance to change their password when
they
first log in? How about those laptop mobile VPN users?
.
- References:
- Windows 2003 domain password policy
- From: John Smith
- Windows 2003 domain password policy
- Prev by Date: Windows 2003 domain password policy
- Next by Date: Re: Windows 2003 domain password policy
- Previous by thread: Windows 2003 domain password policy
- Next by thread: Re: Windows 2003 domain password policy
- Index(es):
Relevant Pages
|
|
