Announcement

Collapse
No announcement yet.

Windows 2003 Domain Password Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2003 Domain Password Policy

    Ok, so I know I should know this but evidently I don't. Here are two questions:

    1. My Default Domain Policy has a maximum password age setting of 42 days (the default). I can see that this setting is being applied to my servers by viewing gpresults, yet I have user passwords that have been the same since I started at this company 2 years ago. Can anyone tell me what I'm not understanding?

    2. I have an OU where my terminal servers "live". I have a GPO linked to this OU with the "block inheritance" option enabled. The minimum password length is 8 characters and I can see that it is being applied to my terminal servers by viewing gpresults. I thought there could only be one password policy per domain. Can anyone tell me what I'm not understanding?

    Thanks much

  • #2
    Re: Windows 2003 Domain Password Policy

    For 1)
    Are the users set for "password never expires" (in ADUC). If so, this will beat password policies
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Windows 2003 Domain Password Policy

      2) Although the Password Policies settings can be configured at any OU level, the Password Policies in Windows 2000 and Windows 2003 are configured via the Default Domain Policy. But this is set to change in Windows 2008.

      http://technet2.microsoft.com/window....mspx?mfr=true

      MurTuzA
      The Never Ending Loop of User Rights
      START
      Q. Why is Windows so insecure?
      A. Because everyone runs as Administrator.
      Q. Why does everyone run as Administrator (even when they know better)?
      A. Because they don't understand security and are afraid they will be prevented from doing things.
      Q. Why don't they understand security?
      A. Because they run as Administrator, bypassing all security.
      LOOP TO START

      Comment


      • #4
        Re: Windows 2003 Domain Password Policy

        Originally posted by joeqwerty View Post
        2. I have an OU where my terminal servers "live". I have a GPO linked to this OU with the "block inheritance" option enabled. The minimum password length is 8 characters and I can see that it is being applied to my terminal servers by viewing gpresults. I thought there could only be one password policy per domain. Can anyone tell me what I'm not understanding?

        Thanks much
        You're not understanding that: there can be as many password policies as you like in a domain; BUT the only one which will take effect is the Default Domain Policy. The other policies will apply successfully but will be completely ignored - your users will have the minimum password length specified at the domain level.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Windows 2003 Domain Password Policy

          Well, I feel slightly stoopid (LOL). The properties of the user accounts in question do have the password never expires option enabled. I never tested setting a password in my TS OU GPO that conflicts with the Default Domain Policy setting, I'll try that today. Thanks much to all for the insight.

          Comment


          • #6
            Re: Windows 2003 Domain Password Policy

            Hi joeqwerty,

            If you set any password policy a the OU level that will get applied to the local users of the computers lying in that OU not to the domain users in that OU.

            Regards,
            Kapil Sharma
            ~~~~~~~~~~~~~
            Life is too short, Enjoy It.

            Comment


            • #7
              Re: Windows 2003 Domain Password Policy

              OK. Thanks much for the info.

              Comment


              • #8
                Re: Windows 2003 Domain Password Policy

                You can use RSOP.MSC (Resultant Set Of Policies) to check which GPO is giving which password policy and which is the "winner".
                TIA

                Steven Teiger [SBS-MVP(2003-2009)]
                http://www.wintra.co.il/
                sigpic
                Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                We donít stop playing because we grow old, we grow old because we stop playing.

                Comment

                Working...
                X