local domain password policy

[ABQ_Me]

i cannot find how to set the local domain account password policies. I
thoguht this was possible from the GPC.
I really dont want to go around to 200 machines to do this.

any help is greatly appreciated.

tia

 

[Cary Shultz [A.D. MVP]]

Tia,

This is done in the Domain Security Policy ( Start | Programs |
Administrative Tools | Domain Security Policy ). The password policy is set
at the domain level and there can be one and only one password policy that
will apply to all users in the domain.

However, your post is a bit confusing. Do you mean the domain password or
do you mean the local password policy of each computer ( er, the password
policy for each local account )? If this is the case then all you would
need to do would be to place all of the computer account objects in an OU
( assuming that they are still in the default location - COMPUTERS
container ) and create a password policy linked to that OU. Please remember
that this will not affect any of your domain user account objects, though.
It will affect only those user accounts that are local to the computers....

HTH,

Cary

 

[Jerold Schulman]

i cannot find how to set the local domain account password policies. I
thoguht this was possible from the GPC.
I really dont want to go around to 200 machines to do this.

any help is greatly appreciated.

tia

Default domain policy / Computer Configuration / Windows Settings / Security Settings
PassWord Policy
Account Lockout.

If you mean:
Passwords can be simple, and the administrator account cannot be locked out.
Passwords must be complex, and the administrator account cannot be locked out.
Passwords can be simple, and the administrator account can be locked out.
Passwords must be complex, and the administrator account can be locked out.

see tip 8704 in the 'Tips & Tricks' at http://www.jsiinc.com
( http://www.jsiinc.com/SUBR/tip8700/rh8704.htm )

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[ABQ_Me]

I meant the local password properties, length, mininum age /maximum age, and
previous passwords.
people are freaking about about haveing to cahnge their passwords, i have
teh defualt domain policy set to 45 days, and have reset it to more, but it
still wants to change them every 45 days.

 

[Cary Shultz [A.D. MVP]]

Tia,

I guess that my question remains open. Are you talking about logging on
locally to the machine ( aka not with the domain user account object ) or
are you talking about logging into the domain ( aka with the domain user
account object )?

There is a huge difference.

I am guessing that you are talking about the domain user account object.
Have you sat down at a computer and entered at the command prompt 'net
accounts' - without the quotes? Does this give you the same info as what
your domain password policy gives you? It should. And the 'new' policy
stuff will not take place until the current policy has run through one
'maximum password age' cycle - so, in 45 days or so the 'new' settings
should take place.

I am not sure that I would care too much about your user community
complaining that they have to change their password every 45 days or so.
And I am not trying to sound harsh and uncaring. Having a stronger password
policy is one of many layers to help protect your environment. And I would
strongly discourage people from writing down their 'new' password on a
sticky note and putting it under their keyboard or on the back of their
monitor or some of the other more obvious places ( well, to be clear - from
doing this at all! ). I would make sure that the minimum age is at least
seven days ( 15 days would be a lot better and 30 days would be great! ) and
that the policy has a password history of at least 10 passwords remembered.

Does this help to clarify things for you?

HTH,

Cary