Click here to get back home

Windows 2003 domain password policy
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Windows 2003 domain password policy John Smith 09-26-2006
Posted by John Smith on September 26, 2006, 9:53 pm
Please log in for more thread options
 Can we have 2 sets of domain password policy? Or we can use Block Policy
Inheritance and Disable No Override option to achieve this.

Any suggestion for best Domain Password Policy pratice? Modify the default
Domain Policy GPO or create a new Password GPO and linked to the root
container?

If we implement a secure password policy now, what may happen to the
existing users? Are they offered a chance to change their password when they
first log in? How about those laptop mobile VPN users?



Posted by Roger Abell [MVP] on September 26, 2006, 10:28 pm
Please log in for more thread options
 There is only one password policy per domain, always set in a GPO
linked to the domain object.

If you need different policies within one domain you would need to
have a custom Gina in use. For some cases where people do want
different policies, use of required smart card login for the few for
which higher password control was desired can turn out to be a
usable alternative.

Personally, I like to leave the two default GPOs alone, implementing
policy via newly defined GPOs (not necessarily defined for just some
singular purpose). This allows reset of the default GPOs without
concern of that action's impact. The use or not of the default GPOs
to carry custom policy settings is likely, largely a stylistic preference.

> Can we have 2 sets of domain password policy? Or we can use Block Policy
> Inheritance and Disable No Override option to achieve this.
>
> Any suggestion for best Domain Password Policy pratice? Modify the default
> Domain Policy GPO or create a new Password GPO and linked to the root
> container?
>
> If we implement a secure password policy now, what may happen to the
> existing users? Are they offered a chance to change their password when
> they
> first log in? How about those laptop mobile VPN users?
>



Posted by ANIXIS on September 26, 2006, 11:26 pm
Please log in for more thread options
Windows only supports one domain password policy per domain. Microsoft
includes an API for custom password filters in Windows. This API can do
what you require, but only if you have a good understanding of C,
security concepts and LDAP. You can find the documentation at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp

There are also several third-party products that can overcome this
limitation without any programming. The one I recommend is Password
Policy Enforcer (disclosure: I work for ANIXIS). It allows you to
assign policies to users, groups, and OUs. See
http://www.anixis.com/products/ppe/features.htm for more information.



John Smith wrote:
> Can we have 2 sets of domain password policy? Or we can use Block Policy
> Inheritance and Disable No Override option to achieve this.
>
> Any suggestion for best Domain Password Policy pratice? Modify the default
> Domain Policy GPO or create a new Password GPO and linked to the root
> container?
>
> If we implement a secure password policy now, what may happen to the
> existing users? Are they offered a chance to change their password when they
> first log in? How about those laptop mobile VPN users?


Posted by Roger Abell [MVP] on September 27, 2006, 1:47 am
Please log in for more thread options
A small added mention I'll make that either route, with cards
or Gina, a sizable cost or/and effort can come from remaining
one domain-ensional for account differentiations.

Without having account (policy) distinctions aligned on intra-forest
boundaries, forest design for authN must invest in careful coding
work or a capability/convenience/cost analysis of Gina products.
If you are considering going these routes I would strongly advise
you to also review Longhorn server innovations and the obsoleting
of the Gina extension model. Vendor choice via their future design
for support could after all, make a valid selector criterion. :-) -

Roger

> Can we have 2 sets of domain password policy? Or we can use Block Policy
> Inheritance and Disable No Override option to achieve this.
>
> Any suggestion for best Domain Password Policy pratice? Modify the default
> Domain Policy GPO or create a new Password GPO and linked to the root
> container?
>
> If we implement a secure password policy now, what may happen to the
> existing users? Are they offered a chance to change their password when
> they
> first log in? How about those laptop mobile VPN users?
>



Posted by ANIXIS on September 27, 2006, 4:46 am
Please log in for more thread options
Roger, what you say is correct for GINA DLLs, but not password filters.
Password filters should continue to work with Longhorn server unless
Microsoft decides to depreciate the interface. They have not done so
yet, and I don't see why they would as it doesn't exhibit the same
problems as the GINA interface.


Roger Abell [MVP] wrote:
> A small added mention I'll make that either route, with cards
> or Gina, a sizable cost or/and effort can come from remaining
> one domain-ensional for account differentiations.
>
> Without having account (policy) distinctions aligned on intra-forest
> boundaries, forest design for authN must invest in careful coding
> work or a capability/convenience/cost analysis of Gina products.
> If you are considering going these routes I would strongly advise
> you to also review Longhorn server innovations and the obsoleting
> of the Gina extension model. Vendor choice via their future design
> for support could after all, make a valid selector criterion. :-) -
>
> Roger
>
> > Can we have 2 sets of domain password policy? Or we can use Block Policy
> > Inheritance and Disable No Override option to achieve this.
> >
> > Any suggestion for best Domain Password Policy pratice? Modify the default
> > Domain Policy GPO or create a new Password GPO and linked to the root
> > container?
> >
> > If we implement a secure password policy now, what may happen to the
> > existing users? Are they offered a chance to change their password when
> > they
> > first log in? How about those laptop mobile VPN users?
> >


Similar ThreadsPosted
Password Security Policy for Local on Window 2003 March 14, 2008, 4:10 pm
Windows 2003 audit Policy amended October 29, 2006, 7:32 pm
local security policy on windows 2003 server April 16, 2007, 10:28 am
Password Storage in Windows 2003 February 14, 2007, 10:38 am
Windows 2003 Problem with Group Policy for Services Startup and Permissions April 27, 2006, 7:27 am
Local Security Policy MMC secpol.msc error on Windows Server 2003 March 9, 2007, 10:01 am
machine password expiration in the 2003 domain environment April 14, 2008, 10:57 am
Securing Administrator password on a windows 2003 server May 15, 2008, 8:36 pm
Windows 2003 - Child domain cannot request certificate from root domain January 11, 2008, 11:41 am
How to change the minimum password length in a Windows 2003 server July 27, 2006, 8:09 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap