Domain vs Domain Controller Security Policy

[Guest]

On a W2K domain, I want to setup password policies. If I enable them in DC
security policy, it doesn't work. It does work through Domain Security policy
but some users were never foreced to change their password as per policy of
60 days.
What could be wrong and what are the best practices Domain or Domain
Controller? Do I need to force them? How?
TIA

 

[Steven L Umbach]

For domain users password policy can only be set at the domain level and by
default that would be Domain Security Policy. You can use the command net
accounts on a domain controller to see what the password policy [other than
complexity] is. I would also use the support tool gptool run on a domain
controller to see if all operating domain controllers are found and it shows
that Group Policy has the same version number on each domain controller and
if not you could have some sort of a replication problem. Also make sure
that the users in question do not have their user accounts set for "password
never expires" as that would exempt them from maximum password age. You can
use the command net user username on a domain controller to quickly find
that out and when the password was last set. The link below is to the
chapter from the Windows 2003 Server Security Guide for domain policy that
you may find helpful and almost all if not all would apply to W2K
so. --- Steve

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch03.mspx

 

[Guest]

You can only configure account policies at the Domain level, this is normal.
As for the users whose password has not expired. Check their user accounts
in AD to see if the option "Password never expires" has been configured.
This will override the password policy.

You can always force them to change their password by checking the Change
password at next logon box in their user account.

Brian Delaney