Announcement

Collapse
No announcement yet.

Default Dom GPO P/W Complexity Not Blocked

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default Dom GPO P/W Complexity Not Blocked

    Granted we're quite new to AD, but I thought I had this right.

    We've set the Default Domain Policy to enforce password complexity and length for our single domain. The Default Domain Policy GPO is NOT "Enforced". I have a set of user and service accounts that I need to have exempt from the password settings, so I created an OU called "Exempt" on which I've blocked inheritance. Checking the Group Policy Inheritance tab for the OU "Exempt" in the GPMC confirms no inherited GPOs, and there are no GPOs whatsoever linked to this OU. I've replicated from the DC that holds most of the FSMO roles to the other 2 DC's (we're in mixed mode).

    My problem is that I cannot set a "simple" password (4 characters, all upper case) that doesn't meet the otherwise domain-wide complexity/length settings for a user account in the "Exempt" OU.

    Are the password settings unblockable when set by the Default Domain Policy? Should I not set password complexity in the Default Domain Policy, and instead setup a separate GPO at the domain root for passwords? Would I then be able to block inheritance of the password policy for our "Exempt" OU? At a broader level, assuming it's supposed to be blockable, is blocking the Default Domain Policy a good idea in the first place?

    Thanks in advance, and my apoligies if this these are really lame questions.

  • #2
    Re: Default Dom GPO P/W Complexity Not Blocked

    You can only set the password policies for domain accounts at the domain level. It cannot be set at any other level. The password policies at any other level will only affect local accounts
    Check out this thread, it touches on the subject
    http://forums.petri.com/showthread.php?t=8158&goto=#7
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Default Dom GPO P/W Complexity Not Blocked

      Jeremy, thanks for the quick response.

      I do get than the password policy must be set at the domain level, but can inheritance of that domain-level policy not be blocked at the OU? That's my problem - I need to block the password complexity requirement that otherwise applies to all the accounts in the domain just for a specific OU containing "special" accounts which must have fixed passwords and sometimes short, simple, non-complex passwords.

      It's starting to seem to me that I'll have to set up a 2nd domain, just to have a place to put the accounts that must not be complex or have expirations.

      Comment


      • #4
        Re: Default Dom GPO P/W Complexity Not Blocked

        Hi phershey.

        All user accounts in an OU and/or the User container are domain accounts and therefore the password policies applied to the domain will affect them. There is no blocking of the password policies for domain accounts. Local accounts are accounts created on member servers and client computers and normal GP processing applies so other GPO password policies will affect these accounts.

        Setting up another domain might be what you have to do but you should also consider how effective your company security policy (referring to a written document) would be in requiring other users to use complex passwords (or whatever guidelines management decides). Keep in mind though, there would be less technical restraints on the passwords and you would have to find other means of ensuring the security policy is followed.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Default Dom GPO P/W Complexity Not Blocked

          Jeremy, thanks! This is all caused by a server application that communicates with one of our AS/400 systems that has "issues" using UNC's to get to OS400 shares.

          Is there a registry key that I could modify to cause Windows Server 2003 not to prepend the credentials it passes to the AS/400 with the domain\username or local\username and just simply pass username when it connects to the OS400 shares?

          Comment


          • #6
            Re: Default Dom GPO P/W Complexity Not Blocked

            I saw you posted this issue in another thread and I thought that was a good idea because we just made a huge turn in the direction we're headed plus I have no idea about OS400

            I will say that I know of no registry mods that will do what you're looking for (doesn't mean there not out there) but I imagine that doing so would adversely affect you windows authentication.

            I did a quick google search and there seems to be a client for connecting with the OS400
            http://www.google.com/search?hl=en&r...+AS400&spell=1
            http://www.google.com/search?hl=en&r...+AS400&spell=1
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Default Dom GPO P/W Complexity Not Blocked

              to be continued here:
              http://forums.petri.com/showthread.php?t=8732
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment

              Working...
              X