Announcement

Collapse
No announcement yet.

Password GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password GPO

    Hi,

    My question is related to setting password policies in the Default Domain Policy. This is for Windows Server 2008 R2. What I plan to do is create the password policy for the Default Domain Policy say on a Monday.
    What effect does this have on the users? For instance, when does the policy get applied to all the users? What is I want to set the policy on a Monday, but over 3 days apply it to the domain users?
    What if some of the users are logged into their computers at the time? Do the users need to log off their computers and get prompted to change their password?
    What effect will this have for remote users who don't log onto the domain, but only check email via OWA.
    I have two users I want to exclude from this password policy. If I just go into the GPO and use Delegation and select 'Deny' for Apply Group Policy', then the GPO should not apply to them?

    Thanks

  • #2
    Re: Password GPO

    Password age will start catching users immediately, other settings (length, complexity) will apply when they next change a password.

    To exclude users, either security filter (note this means you may NOT want to change the Default Domain Policy as this includes other settings) or, since you have 2008R2, investigate "fine grained password policies" ( for more info)

    Security filtering is said to slow down GPO application, so be duely advised!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Password GPO

      Okay, so if I set the maximum password age to 3 days on a Monday, then the users have 3 days before they are required to change the password.

      What about users that are remote and don't log into the domain. They only use OWA. If I change the maximum password age to 3 days on a Monday, will they get prompted to change only using OWA?

      The other scenario is what if users are always logged into their computer. Their PC is locked, when they unlock, will they get prompted to change their password?

      Thanks!

      Comment


      • #4
        Re: Password GPO

        The password policy is applied to computers, not users. If you set the password age at 3 days, and the reminder message is set to come on the default 14 days prior to expiration, then all users will see the password expiration message the next time they log on, after the GP has applied to that machine. And passwords expire at the hour/minute of the day when it was last set, not at midnight of the day. So a password set at 09:53:30 on 18 Jul, with a 3-day policy, will expire at 09:53:30 on 21 Jul.

        With a policy set for only 3 days, tell your users not to ignore the messages.

        If the hypothetical user logs on that 3rd morning, and the machine keyboard locks at 09:45, when the user comes back at 10:05, he/she won't be able to unlock the keyboard because the password expired while it was locked. They have to come to Admin to sort it out, and of course it's Admin's fault and Admin's crisis. That's a lot of grief for you because they chose not to change their password when the system tells them to. I have been fighting a couple of hard-core users about this one issue for years.

        Can't speak to OWA with real experience, but I believe that credentials are credentials. While those users won't see an interactive password expiration message, they still won't be able to get in once the expiration happens. Best ensure they're notified ahead of time, or have them report in to the office to deal with it interactively.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Re: Password GPO

          So the password policy applies to computers, not users. okay, understood.
          I appreciate the example. This makes sense now when I set the password age on Monday for 3 days, what kind of affect this will have especially on the users that have their PC locked on that 3rd day.
          For OWA users, they won't see a password expiration message, I just need to let them know they can change their password within the 3 days in OWA.
          We're sending an email out today to let all users know about the password policy change.

          Thanks

          Comment


          • #6
            Re: Password GPO

            IIRC OWA will tell you your password has expired and offer you a chance to change it (but I may well be misremembering and don't have any way of testing just now)
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Password GPO

              Just a few notes:

              Originally posted by Ossian View Post
              To exclude users, either security filter (note this means you may NOT want to change the Default Domain Policy as this includes other settings) or, since you have 2008R2, investigate "fine grained password policies" ( for more info)
              Fine grained password policies is only way to exclude users if they're AD accounts. Security filtering won't work because the policies are applied to the domain and not the users.

              Originally posted by RicklesP View Post
              The password policy is applied to computers, not users.
              This is only true for local accounts. If we want to affect AD accounts then the policy needs to be applied to the domain object and affects all AD users unless using FGP. The computer's password policy settings have no bearing on an AD user account's password.

              You guys probably know this but I just wanted to make that clear for theel1997.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X