Announcement

Collapse
No announcement yet.

GPO - Password policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO - Password policy

    Hello,

    I have question about password policy for users.
    I need to force users to use strog password for their accounts.

    I have domain policy set up to use minimaly 8 character and use complex passwords.
    (Computer Configuration - Policies - Windows security - Acount policies / Password policy)

    For some computers I have set up another policy which defines also max age password 42 days, password history 6.

    But it doesnt work. GP was applied 14 days ago, and nobody have to change his password. In user account detail all of them has unchecked "password never expire".
    In attrinbute editor I can see that password is more than one year old.

    What is wrong?

    PS: Why is this policy in computer configuration and no user configuration?
    Thanks

    Caspi

  • #2
    Re: GPO - Password policy

    Unless you have Server 2008 Fine Grained Password Policies, only the domain level policy will apply. All others will be ignored

    This is by design

    Password policies apply to computers not users, hence the location
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: GPO - Password policy

      So solution is to use Password Grain Policies. I have windows 2008. Not windows 2008 R2.

      Active Directory Users and Computers\domain node\System\Password Settings Container is empty.

      So Password Grain POlicies are for users and security groups, not for OU.

      Is this right?
      Thanks

      Caspi

      Comment


      • #4
        Re: GPO - Password policy

        Thanks you for help
        Thanks

        Caspi

        Comment


        • #5
          Re: GPO - Password policy

          Yes, you tend to use a security group when defining it, which you make the relevant users members of. Also, check the Domain and Forest funtional level is windows 2008.

          Comment


          • #6
            Re: GPO - Password policy

            Just a note that Fine Grained Password Policies are a real PITA to implement, involving ADSIEdit and conversion of times into milliseconds (or is it seconds?), so you should ask yourself if you really, really need different policies for different sets of users.
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: GPO - Password policy

              Train Signal have a real easy to follow tutorial in their Server 2008 AD Lab. Check out Lesson 15.
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment

              Working...
              X