Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

SAM vs. AD User Accouns

  • Filter
  • Time
  • Show
Clear All
new posts

  • SAM vs. AD User Accouns

    Hello All.
    Our W2K AD domain runs in the Mixed Mode. Group Policies seems to slow down the logon process considerably, we would like to use it only occasionally. Also we would like to enforce password expiration/complexity rules not only for W2K but also for W9X clients.
    Can the following tools be used to modify/control user accounts:
    A) Enforce Domain Policies (such as password age) from NT4 User Manager for Domains?
    B) NET * commands. For example, use
    net accounts /minpwage:7 /maxpwage:30 /domain

    And, in broader terms: Account policies, including password policies, are applied to the Active Directory, which resides in the DCs. Do the above mentioned tools access and modify the AD or they modify the Domainís SAM? And if it is SAM, how this info then gets synchronized with the AD?

    Thank you very much
    Igor Tokman

  • #2
    Password aging and complexity are defined in Default Domain Policy and apply to all objects in AD, hence it applies to all clients capable of recieving GPOs (W2K and up). This means that the policy also affects local user accounts (those in the computer SAM)

    Because only DCs contain AD user accounts, the password complexity of AD accounts can be actually defined only on the "Domain Controllers" container. This means that you can define GP only on DCs container to enforce the AD accounts complexity and aging.

    BTW, in your place I would be reviewing you AD design to see why GPOs slow down the logon process.
    Are the DCs and clients seperated by slow links ?
    Is your DNS configured correctly ?
    How often is the Group Policy refreshed ?
    Do you enforce GP refresh at logon even if no changes have been done to GPO ?

    As for legacy 9X clients, the only way is to use Policy Editor or 3rd party tools.

    NET * commands will work as long as what you want to do does not collide with GPO settings. You can't override GPO with NET * commands.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Thank you Antid0t.