domain security policy

P

Patrick

Thanks all your help.

I want to setup a security policy on Windows 2000 domain environment to
enforce general user to change their password every 3 months and something
like enforce password history, a/c lock out.

I have the following question:
- Is it applied to all domain users inclued "Domain Administrator"?
- How can exclude some of users like "Domain Administrator" and some
services a/c of above setting?
- If I set these policy in a new created OU level and move geneal user
computer object to this OU (not server and DC object), am I right that the
policy will only apply to these computer.
- What is the best prastice to apply these domain security setting?

Thanks for your help.

Patrick
 
B

Brian Komar \(MVP\)

Some answers inline.
Patrick said:
Thanks all your help.

I want to setup a security policy on Windows 2000 domain environment to
enforce general user to change their password every 3 months and something
like enforce password history, a/c lock out.

I have the following question:
- Is it applied to all domain users inclued "Domain Administrator"?
Click to expand...

Yes, unless there is a specific account setting override
- How can exclude some of users like "Domain Administrator" and some
services a/c of above setting?
Click to expand...

Yes, for the specific account, you can choose to prevent the requirement to
change passwords. But, if you set up complexity, etc, then it must be
followed.
- If I set these policy in a new created OU level and move geneal user
computer object to this OU (not server and DC object), am I right that the
policy will only apply to these computer.
Click to expand...

Nope. Account policy is domain wide in a Windows 2000 (and 2003) domain. It
applies to *all* users in the domain.
- What is the best prastice to apply these domain security setting?
Click to expand...

Like you are doing.
 
P

Patrick

Thanks your info Brian,

To prevent the requirement to change passwords,
am I right that I can set it from the "Account Tap" of the user property
from "AD User and Computer"--> make it to "never expire".

Thanks again

Patrick
 
B

Brian Komar \(MVP\)

Not for the default domain policy
think about it, if there is one policy that mmust be applied to all, that is
it.
This is article is more directed for custom GPOs
Brian
 
R

Roger Abell [MVP]

You could address your requirements completely if you were
running a Windows 2008 domain. With the Windows 2000
domain that you have there is no way to do this.

On a per-account basis you can set some account to have their
passwords never expire (which most people do for service
accounts, but which may not be the best of ideas).

The other policies you have mentioned are always applied to
all accounts of the domain and must be set in a GPO linked to
the domain object. When the policies are set in a GPO linked
to an OU, as you outlined/hypothesized, those policies will only
apply for machine local accounts on computers in the OU (they
will have zero impact on domain accounts).

I noticed that you particularly wanted to exempt admins from
the impact of the policies. I will just note that it is precisely
the more powerful accounts that you ought want forced into
use of better password practices.

Roger
 
P

Patrick

Roger, thanks for your details info

Patrick

Roger Abell said:
You could address your requirements completely if you were
running a Windows 2008 domain. With the Windows 2000
domain that you have there is no way to do this.

On a per-account basis you can set some account to have their
passwords never expire (which most people do for service
accounts, but which may not be the best of ideas).

The other policies you have mentioned are always applied to
all accounts of the domain and must be set in a GPO linked to
the domain object. When the policies are set in a GPO linked
to an OU, as you outlined/hypothesized, those policies will only
apply for machine local accounts on computers in the OU (they
will have zero impact on domain accounts).

I noticed that you particularly wanted to exempt admins from
the impact of the policies. I will just note that it is precisely
the more powerful accounts that you ought want forced into
use of better password practices.

Roger
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Default Domain Policy 5
Read security policy 1
Domain vs Domain Controller Security Policy 2
Domain Security Policy 2
Newbie policy & security groups ?: SBS/Win 2003 AD 5
Domain Policy? 4
Windows XP Logon script location 3
NEW GPO Policy 3

Top