Exclude accounts from password policy

G

Guest

I have a good password policy that forces a minimum of 6 characters for all
users through Active Directory on Windows 2000 (through Domain Security
Policy). However I need to create several very easy passwords of just 1
character for a few generic logins (I plan to restrict the genetic logins to
certain machines). How do I exclude certain accounts from my password
policy?
 
D

Dave Weber

Your best bet is to place them into Organizational Units, and apply a Group
Policy onto that OU that laxes the permissions.

Note: I've never granted looser permissions than what the Domain policy is
via a GP. DOn't know if it can be done. However, this is the direction to
go
 
D

Danny Sanders

You can't. Account policies are one to a domain.

If the domain has resources important enough to require complex passwords,
having *some* accounts on the domain with simple passwords is just creating
a security hole.

This is a primary reason to have a second (in your case less secure) domain.

hth
DDS W 2k MVP MCSE
 
D

Danny Sanders

Your best bet is to place them into Organizational Units, and apply a
Group
Policy onto that OU that laxes the permissions.
Click to expand...


Account policies applied at the OU level will only take affect when logging
on locally to a computer in that OU. Logging on to the domain from a
computer in an OU with a different account policy than the domain, will
result in the domain account policy being applied.

hth
DDS W 2k MVP MCSE
 
J

Joe Richards [MVP]

Wow, you really don't understand the security model of Windows.

Interactive logon is not the only way to use accounts. People can use
runas/su/cpau to logon to userids and that completely bypasses the workstation
restriction since that only works for interactive logons. They could also do
network connections as well such as net use /user:.

Any generic IDs should actually have far more complex passwords and be changed
more often than normal userids.

And you can't set a special password policy for just a couple of users with the
native system contrary to what Dave Weber indicated. You can pull the passowrd
complexity piece off but it requires a custom password filter.

Again though, you don't want 1 character passwords unless you don't mind
everyone using those accounts.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory Domain Policy 13
Impact of changing password policy 2
Group Policy Password Policy Not effecting 1
Password Policy 1
Password on 2003 server AD. 1
Intraforest migration and password synch 1
password policy not being enforced 3
Password Policy Problems 1

Top