|
Posted by Timù8¦v+�ºË"¢{&‰Ê貇ír‰ on August 30, 2005, 8:11 am
Please log in for more thread options
Windows 2003 server. One client requires passwords to expire in 90 days, but
now another client requires passwords to expire in 360 days. How can I
support multiple security policies...without dedicating one server to every
client?
|
|
Posted by Miha Pihler [MVP] on August 30, 2005, 5:36 pm
Please log in for more thread options
You can't. There can only be one password policy at the time.
To go further; if this is domain environment, you can only have one password
policy per domain. If you require different policy, then you will have to
e.g. setup two domains inside Active Directory forest.
--
Mike
Microsoft MVP - Windows Security
show/hide quoted text
> Windows 2003 server. One client requires passwords to expire in 90 days,
> but
> now another client requires passwords to expire in 360 days. How can I
> support multiple security policies...without dedicating one server to
> every
> client?
|
|
Posted by Timù8¦v+�ºË"¢{&‰Ê貇ír‰ on August 30, 2005, 10:10 am
Please log in for more thread options The business goal is having groups with different security policies accessing
a single server. Can setting up two domains achieve this goal? Can two
domains co-exist on a single domain controller? Or is it one controller per
user group? Thanks.
"Miha Pihler [MVP]" wrote:
show/hide quoted text
> You can't. There can only be one password policy at the time.
>
> To go further; if this is domain environment, you can only have one password
> policy per domain. If you require different policy, then you will have to
> e.g. setup two domains inside Active Directory forest.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> > Windows 2003 server. One client requires passwords to expire in 90 days,
> > but
> > now another client requires passwords to expire in 360 days. How can I
> > support multiple security policies...without dedicating one server to
> > every
> > client?
>
>
>
|
|
Posted by Miha Pihler [MVP] on August 30, 2005, 7:41 pm
Please log in for more thread options For two domains, you would need at least two domain controllers (one per
domain) which would be at least two servers (or even better four -- two per
domain as recommended by Microsoft).
What you could do is use Virtual Server and install all this on one physical
server (you would save on cost of hardware - but you would still need tow to
four licensees for operating system and license for Virtual Server.
--
Mike
Microsoft MVP - Windows Security
show/hide quoted text
> The business goal is having groups with different security policies
> accessing
> a single server. Can setting up two domains achieve this goal? Can two
> domains co-exist on a single domain controller? Or is it one controller
> per
> user group? Thanks.
> "Miha Pihler [MVP]" wrote:
>> You can't. There can only be one password policy at the time.
>> To go further; if this is domain environment, you can only have one
>> password
>> policy per domain. If you require different policy, then you will have to
>> e.g. setup two domains inside Active Directory forest.
>> --
>> Mike
>> Microsoft MVP - Windows Security
>> > Windows 2003 server. One client requires passwords to expire in 90
>> > days,
>> > but
>> > now another client requires passwords to expire in 360 days. How can I
>> > support multiple security policies...without dedicating one server to
>> > every
>> > client?
>>
|
|
Posted by Roger Abell [MVP] on August 31, 2005, 6:49 am
Please log in for more thread options You need to rethink the value of the defined business requirements.
Each account database allows for only one set of account policies
(password complexity, length, aging, etc.).
So, to have different account policies you must use machine local
accounts (differenct account database per machine), or different
domains. Alternatively, you could consider requiring smart card
login for one class of accounts in one domain, and have all of the
other accounts use the one domain account policy.
If the business need is of sufficient import it may justify the cost.
--
Roger
show/hide quoted text
> Windows 2003 server. One client requires passwords to expire in 90 days,
> but
> now another client requires passwords to expire in 360 days. How can I
> support multiple security policies...without dedicating one server to
> every
> client?
|
| Similar Threads | Posted | | security policies | May 19, 2009, 8:49 am |
| Workstation Security Policies & RSoP | December 14, 2007, 9:08 am |
| Need advice: Security policies for member servers | April 19, 2006, 2:46 pm |
| Account Policies - Windows 2003 Server | July 23, 2007, 8:43 pm |
| What security policies effect tasklist.exe password prompt behavior? | February 29, 2008, 9:29 am |
| Windows Vista Group Policies in a Server 2003 SP1 Domain environment | May 11, 2007, 9:21 am |
| Role-based security from Windows Server 2003 Security Guide gives problems | November 6, 2006, 8:00 am |
| Windows Server Baseline Security - IE security warning | June 5, 2007, 9:35 am |
| Windows server 2003 security. How to protect against 100's of invalid logons to the server?? | August 12, 2005, 5:29 pm |
| policies | September 12, 2005, 9:16 am |
|
XML Sitemap
> but
> now another client requires passwords to expire in 360 days. How can I
> support multiple security policies...without dedicating one server to
> every
> client?