I am getting ready to alter our default domain policy by changing the
password setting from never expires to password expires in 60 days and need
some help. I keep reading conflicting info which states the Domain
Controllers will only process one password policy per domain, while other
people claim you can get around this by altering the order of a 2nd password
policy at the domain level. Without using a 3rd party product like SpecOps
is this possible? Can you have two different password policies per domain.
For instance, one policy for everyone and a 2nd one for your service
accounts, which you could set to never expire. Please explain...

2nd question is regarding the change from never expires to 60 days. If I
turn this on at the domain level, will all my users be prompted to change
their password at 60 days, if they ignore the earlier prompts to change their
password?

If I am being unclear please advise and I will try to explain.

Thanks in advance

erik

Howdie Erik!

EDAWG wrote:
> I am getting ready to alter our default domain policy by changing the
> password setting from never expires to password expires in 60 days and need
> some help. I keep reading conflicting info which states the Domain
> Controllers will only process one password policy per domain, while other
> people claim you can get around this by altering the order of a 2nd password
> policy at the domain level. Without using a 3rd party product like SpecOps
> is this possible? Can you have two different password policies per domain.
> For instance, one policy for everyone and a 2nd one for your service
> accounts, which you could set to never expire. Please explain...

Having two different password policies is not possible with Windows
Server 2003 (by default). You will have to look for a third party
product. In fact, you can have a second policy linked to the domain (at
the same level where the Default Domain Policy is linked) and define
your settings there (that is what you should do! Never alter the Default
Domain Policy - always create a new policy to define your custom
settings there). But by configuring a second policy, your Password
Policy will be the "result" of both those policies.

cheers,

Florian
--
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

On Jun 14, 2:13 am, Florian Frommherz
<flor...@PLEASELEAVETHISOUT.frickelsoft.net> wrote:
> Howdie Erik!
>
> EDAWG wrote:
> > I am getting ready to alter our default domain policy by changing the
> > password setting from never expires to password expires in 60 days and need
> > some help. I keep reading conflicting info which states the Domain
> > Controllers will only process one password policy per domain, while other
> > people claim you can get around this by altering the order of a 2nd password
> > policy at the domain level. Without using a 3rd party product like SpecOps
> > is this possible? Can you have two different password policies per domain.
> > For instance, one policy for everyone and a 2nd one for your service
> > accounts, which you could set to never expire. Please explain...
>
> Having two different password policies is not possible with Windows
> Server 2003 (by default). You will have to look for a third party
> product. In fact, you can have a second policy linked to the domain (at
> the same level where the Default Domain Policy is linked) and define
> your settings there (that is what you should do! Never alter the Default
> Domain Policy - always create a new policy to define your custom
> settings there). But by configuring a second policy, your Password
> Policy will be the "result" of both those policies.
>
> cheers,
>
> Florian
> --
> eMail: prename [at] frickelsoft [dot] net.
> blog:http://www.frickelsoft.net/blog.

Hi,

Like you have noticed you can only have ONE password policy assigned
throughout the entire domain.
It does not have to be the default domain policy but it has to be a
policy with the highest priority linked at the domain level.

>But by configuring a second policy, your Password Policy will be the "result" of both those policies.

The policies do not "merge" so it is not the result of "both policies"
Only the settings configured in the policy with the highest priority
will be effective.

The password age is calculated by the maximum password age minus the
last time a user has changed their password.
If your users have not changed their passwords in the last 60 days and
you configure a password policy with a maximum age of 60 days, all of
the passwords will expire.(minus the ones with password never expires)
If your concern is service accounts, set them to never expire as this
will override the maximum password age setting.
What will take effect on these services accounts is any other setting
that you have put in the password policy WHEN you change the passwords
for these accounts.
So setting up a policy with maximum age of 60 days will expire all
accounts that do not have the password never expires flag set on the
account, but ALL other settings i.e. complexity, history, minimum age
will take effect only on a password reset.

Good Luck

Harj Singh
Password Policy Done Right
www.specopssoft.com