Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password {Policy GPO - User or computer ?

Status
Not open for further replies.
JVKAdmin

JVKAdmin

IS-IT--Management
Dec 28, 2001
155
CA
This is probably a straight forward question but I'm trying to configure a Domain Password policy for our windows 2003 domain in Active Directory, Is the Password policy User based or Computer based (seeing that it is under Computer policy in GPO template) ?

Can it be user based ? I'm asking because we do not want certain user accounts to accept the policy and the rest of our domain users should get the policy (we don't want to do this by computer account).

We do not have any OU's set up or plan on setting any up.

Any advice would be appreciated.

Thanks

Kevin.
 
Sort by date Sort by votes
You'd be better off setting some OUs up, or you're going to have to filter the policies, and that's going to be a pain.

Pat Richard, MCSE MCSA:Messaging CNA MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Hi,

When you say filter the policies what exactly do you mean ? By user or computer ?

Also, Setting up a new domain is not a viable option for us or purchasing more software.

The main thing in the password policy we would want to enforce for regular users is password expiration, # of characters in the password and password complexity.

If we could set the critical accounts not to expire that might be a good step but what happens with the complexity rules ? If the current critical account password doesn't meet the complexity rules does the system force that user to change the password ?

The critical system accounts can't have their password changed (at least not easily). Which is why I originally wanted to be able to just not give access to specific users to that new Password Policy GPO. but finding out that it is computer based changes things.

My network has about 75 users or so. Filtering (if it can be done relatively easily) could be done by user but I'd need more info on how to filter properly.

Thanks

Kevin.

 
Upvote 0 Downvote
The password policy can only be set at the Domain level. It is usual to edit the Default Domain Policy Password Policy in the Computer section of the GPO.

Accounts that are set to not expire will not be affected by the policy unless you go and change the password. Then you will be required to meet the complexity settings you have defined.

So you can set the accounts that should not be affected by the policy to not expire (security risk though).

Or you have to create a separate domain and leave the default domain policy at the default settings. The users who need different settings need to have their accounts in this new domain to meet with your requirements.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
724
Aquiles Vidal
Aquiles Vidal
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
445
technome
technome
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
829
DrB0b
DrB0b
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
327
penguinroundup
penguinroundup
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
344
RRankin355
RRankin355

Part and Inventory Search

Sponsor

Back
Top