Password policy vs. "password never expires"

Discussion in 'Microsoft Windows 2000 Active Directory' started by RH, Aug 10, 2004.

  1. RH

    RH Guest

    On a W2K domain, I know I can set password complexity,
    minimum length, expiration, etc. via domain policy. My
    question is which takes precedence: a) domain policy or
    b) the check box on an individual user account
    properties>account next to the "password never expires"?
    If the check box overides domain policy, what about
    password complexity in the policy? Is that passed down
    to the user requiring complex password that then does not
    expire? TIA. Ron
     
    RH, Aug 10, 2004
    #1
    1. Advertisements

  2. Password never expires takes precedence.

    With this box checked they will still have to abide by the password
    complexity requirements.

    hth
    DDS W 2k MVP MCSE

    "RH" <> wrote in message
    news:35fe01c47ee3$b0366f90$...
    > On a W2K domain, I know I can set password complexity,
    > minimum length, expiration, etc. via domain policy. My
    > question is which takes precedence: a) domain policy or
    > b) the check box on an individual user account
    > properties>account next to the "password never expires"?
    > If the check box overides domain policy, what about
    > password complexity in the policy? Is that passed down
    > to the user requiring complex password that then does not
    > expire? TIA. Ron
     
    Danny Sanders, Aug 10, 2004
    #2
    1. Advertisements

  3. This is accurate. Having this box checked is one way to get around all of
    the time elements in a password policy. But, as Danny stated, it will not
    help you to avoid having a password that meets with the complexity
    requirements.

    Say, for example, you have implemented a password policy whereby the
    passwords must meet the complexity rule, have a max age of 60 days, a min
    age of 10 days, a minimum length of six characters and a password history of
    12 passwords remembered.

    The CEO - or some other Suit - has a specific password that he uses for
    everything and will not want to have anything else. He goes along with this
    for awhile but when it comes time to change the password ( after the 60
    days ) he has a really hard time. He is not happy about not being able to
    use his granddaughter's name! You finally get this done after holding his
    hand for an hour. He asks you, "Are we going to have to do this again in
    another 60 days?" "Well, yes!", is your response.

    Not exactly! Go to his user account object and check the 'password never
    expires' check box and he can keep the password that he has now until the
    cows come home.

    Is this safe and secure? No! But neither is having people write their user
    name and password on a little yellow sticky and putting it 'someplace safe'.
    This is one of the areas that a lot of uneducated users really complain a
    lot - and very loudly! However, if you educate them to the importance of
    this they will pipe down! I promise!

    HTH,

    Cary

    "Danny Sanders" <> wrote in message
    news:...
    > Password never expires takes precedence.
    >
    > With this box checked they will still have to abide by the password
    > complexity requirements.
    >
    > hth
    > DDS W 2k MVP MCSE
    >
    > "RH" <> wrote in message
    > news:35fe01c47ee3$b0366f90$...
    > > On a W2K domain, I know I can set password complexity,
    > > minimum length, expiration, etc. via domain policy. My
    > > question is which takes precedence: a) domain policy or
    > > b) the check box on an individual user account
    > > properties>account next to the "password never expires"?
    > > If the check box overides domain policy, what about
    > > password complexity in the policy? Is that passed down
    > > to the user requiring complex password that then does not
    > > expire? TIA. Ron

    >
    >
     
    Cary Shultz [A.D. MVP], Aug 10, 2004
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sabin Nair[MSFT]

    Re: ADSI Password never expires

    Sabin Nair[MSFT], Aug 13, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    921
    Sabin Nair[MSFT]
    Aug 13, 2003
  2. Jimmy Harper [MSFT]

    RE: ADSI Password never expires

    Jimmy Harper [MSFT], Aug 13, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    277
    Jimmy Harper [MSFT]
    Aug 13, 2003
  3. GMK

    GPO Password never expires

    GMK, Oct 14, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    416
    Jerold Schulman
    Oct 14, 2003
  4. Jodi

    removing 'password never expires' checkmark

    Jodi, Feb 3, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    226
  5. Guest

    Group policy and password never expires

    Guest, Feb 24, 2005, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    988
    ptwilliams
    Feb 24, 2005
Loading...

Share This Page