Announcement

Collapse
No announcement yet.

GPO for password complexity

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO for password complexity

    Hi all,

    I would like to create a GPO to enforce password complexity for certain users. These users will be able to connect to our network using a vpn connection, and then log on to a terminal server.

    When the user is given access to dial in using vpn, I will use Active Directory to select "User must change password at next log on", so the first time they connect using VPN, they are forced to change the password. I will add these users to a group, then I want to apply a policy for password complexity that will apply to that group.

    I know there is a policy that can be used in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policies

    However, this only applies to Computers, not Users.

    Is there a way to achieve this?

    Thanks

    Nick

  • #2
    Re: GPO for password complexity

    Unless you are using a 2008 domain level, you can only apply password policy in a local policy or at the domain level (so for all)
    Password complexity is a computer policy so applies to all users of the computer / domain
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: GPO for password complexity

      what you COULD do as a potential (ly kludgy) workaround is create a LOGOFF Script for those users, that uses dsmod or similar to set "mustchgpwd" every time they log off...
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: GPO for password complexity

        yeah.. its either all or not.. a domain password policy has to be placed at the domain level otherwise it will not work.
        I haven't gotten too intimate with the 2008 domain level so I cannot confirm this has changed with this that .. but it work with 2k3 domain.
        Daniel Frei
        -Windows Operations Server Administrator
        -Exchange Guru
        -Cisco Fanatic
        -SharePoint Hippie
        -Volkswagen Enthusiast

        www.lazynetworkadmin.com

        Comment


        • #5
          Re: GPO for password complexity

          Hi,

          Thanks for the replies. The domain is W2K3, sorry I forgot to say that.

          Could I apply the GPO at the domain level, and then filter it to apply to only certain users, or only a certain group?

          Nick

          Comment


          • #6
            Re: GPO for password complexity

            No, it does not get applied to the user, it gets applied to a workstation, and in the case of the domain, the workstation is the domain controller/s. So no..

            Your only option you have is the users who you don't want to be subject to your policy, have them change their password now, then set their password to never expire, that way they never have to change it and therefore never have to conform to the policy.
            Daniel Frei
            -Windows Operations Server Administrator
            -Exchange Guru
            -Cisco Fanatic
            -SharePoint Hippie
            -Volkswagen Enthusiast

            www.lazynetworkadmin.com

            Comment


            • #7
              Re: GPO for password complexity

              I see, thanks for the info.

              Nick

              Comment


              • #8
                Re: GPO for password complexity

                Yes it only applies to computer not on users but if you want to isolate some users then try to use OU.

                Comment


                • #9
                  Re: GPO for password complexity

                  There are 3rd party tools that will do it for you if money is no object.

                  http://www.specopssoft.com/web/speco...rd-policy.aspx

                  Comment

                  Working...
                  X