Click here to get back home

How to have 2 security policies on one server
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to have 2 security policies on one server Timù8¦v+ºË"¢{&‰Ê貇ír‰ 08-30-2005
Posted by Timù8¦v+ºË"¢{&‰Ê貇ír‰ on August 30, 2005, 8:11 am
Please log in for more thread options
 Windows 2003 server. One client requires passwords to expire in 90 days, but
now another client requires passwords to expire in 360 days. How can I
support multiple security policies...without dedicating one server to every
client?


Posted by Miha Pihler [MVP] on August 30, 2005, 5:36 pm
Please log in for more thread options
 You can't. There can only be one password policy at the time.

To go further; if this is domain environment, you can only have one password
policy per domain. If you require different policy, then you will have to
e.g. setup two domains inside Active Directory forest.

--
Mike
Microsoft MVP - Windows Security

> Windows 2003 server. One client requires passwords to expire in 90 days,
> but
> now another client requires passwords to expire in 360 days. How can I
> support multiple security policies...without dedicating one server to
> every
> client?




Posted by Timù8¦v+ºË"¢{&‰Ê貇ír‰ on August 30, 2005, 10:10 am
Please log in for more thread options
The business goal is having groups with different security policies accessing
a single server. Can setting up two domains achieve this goal? Can two
domains co-exist on a single domain controller? Or is it one controller per
user group? Thanks.

"Miha Pihler [MVP]" wrote:

> You can't. There can only be one password policy at the time.
>
> To go further; if this is domain environment, you can only have one password
> policy per domain. If you require different policy, then you will have to
> e.g. setup two domains inside Active Directory forest.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> > Windows 2003 server. One client requires passwords to expire in 90 days,
> > but
> > now another client requires passwords to expire in 360 days. How can I
> > support multiple security policies...without dedicating one server to
> > every
> > client?
>
>
>


Posted by Miha Pihler [MVP] on August 30, 2005, 7:41 pm
Please log in for more thread options
For two domains, you would need at least two domain controllers (one per
domain) which would be at least two servers (or even better four -- two per
domain as recommended by Microsoft).

What you could do is use Virtual Server and install all this on one physical
server (you would save on cost of hardware - but you would still need tow to
four licensees for operating system and license for Virtual Server.

--
Mike
Microsoft MVP - Windows Security

> The business goal is having groups with different security policies
> accessing
> a single server. Can setting up two domains achieve this goal? Can two
> domains co-exist on a single domain controller? Or is it one controller
> per
> user group? Thanks.
>
> "Miha Pihler [MVP]" wrote:
>
>> You can't. There can only be one password policy at the time.
>>
>> To go further; if this is domain environment, you can only have one
>> password
>> policy per domain. If you require different policy, then you will have to
>> e.g. setup two domains inside Active Directory forest.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> > Windows 2003 server. One client requires passwords to expire in 90
>> > days,
>> > but
>> > now another client requires passwords to expire in 360 days. How can I
>> > support multiple security policies...without dedicating one server to
>> > every
>> > client?
>>
>>
>>




Posted by Roger Abell [MVP] on August 31, 2005, 6:49 am
Please log in for more thread options
You need to rethink the value of the defined business requirements.

Each account database allows for only one set of account policies
(password complexity, length, aging, etc.).
So, to have different account policies you must use machine local
accounts (differenct account database per machine), or different
domains. Alternatively, you could consider requiring smart card
login for one class of accounts in one domain, and have all of the
other accounts use the one domain account policy.

If the business need is of sufficient import it may justify the cost.
--
Roger

> Windows 2003 server. One client requires passwords to expire in 90 days,
> but
> now another client requires passwords to expire in 360 days. How can I
> support multiple security policies...without dedicating one server to
> every
> client?




Similar ThreadsPosted
Workstation Security Policies & RSoP December 14, 2007, 9:08 am
Need advice: Security policies for member servers April 19, 2006, 2:46 pm
Account Policies - Windows 2003 Server July 23, 2007, 8:43 pm
What security policies effect tasklist.exe password prompt behavior? February 29, 2008, 9:29 am
Windows Vista Group Policies in a Server 2003 SP1 Domain environment May 11, 2007, 9:21 am
Role-based security from Windows Server 2003 Security Guide gives problems November 6, 2006, 8:00 am
Windows Server Baseline Security - IE security warning June 5, 2007, 9:35 am
Windows server 2003 security. How to protect against 100's of invalid logons to the server?? August 12, 2005, 5:29 pm
policies September 12, 2005, 9:16 am
RAS and VPN policies - help March 15, 2007, 10:10 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap