T
Tomasz Onyszko
Elton said:
You can't have more then one policy in one domain
You can't have more then one policy in one domain
E
Elton Seng Yan Thung
Dear expert,
Our organization has just implemented AD 2000 to replace existing NT4.
Due to security awareness, a strengthen password policy is required by our
management.We do not want a group of users to be affected the policy due to
the job function. Understand that block inherent does not block the password
policy. Am I correct?
If would like to have the group of user to have other policy what is the
step should we do?
thanks
Our organization has just implemented AD 2000 to replace existing NT4.
Due to security awareness, a strengthen password policy is required by our
management.We do not want a group of users to be affected the policy due to
the job function. Understand that block inherent does not block the password
policy. Am I correct?
If would like to have the group of user to have other policy what is the
step should we do?
thanks
E
Elton Seng Yan Thung
We don't want the password of the group of use to be changed. Any
alternative way to achive that?
appreciate
alternative way to achive that?
appreciate
T
Tomasz Onyszko
Elton said:
I didn't try this but try to remov right for read and apply from default
domain pollicy for this group
H
Herb Martin
Elton Seng Yan Thung said:
If you set the password BEFORE you create or change the policy
then it will not affect the pre-set password UNTIL it is changed.
Theorectically you could make it "never expires" and get away
with this.
Tomasz is suggesting (trying, not claiming it works) to use
Filtering (permissions) to avoid this but I am pretty sure that
has been tried and doesn't work.
IF it does work, please post it.
--
Herb Martin
Elton Seng Yan Thung said:
T
Tomasz Onyszko
Herb Martin wrote:
pressume that this group as in many other cases are group of managers or
any other important people which don't want to be bothered with change
password dialog. And letting this account be moved outside of scope the
password policy is IMO not good solution. But this is only my
theorethical thinking
.
always try
yes, this is good workaround but not good from the "security" view. I
pressume that this group as in many other cases are group of managers or
any other important people which don't want to be bothered with change
password dialog. And letting this account be moved outside of scope the
password policy is IMO not good solution. But this is only my
theorethical thinking
.Yes, please do that. I also think that this may not work but You can
always try
G
Guest
Since the password policy is not affecting users rather
the domain controller that they log onto, this is
difficult. In recent training, to give a separate group,
separate account policies, the recommended course of
action was to create a separate child domain. The
alternative was to have the users log onto resources
locally and assign a group policy on the OU that these
servers are members of. In otherwords, you could have S1,
S2, and S3 in an OU called resource servers, with a logon
policy set. The policy would apply to the local logons for
these servers. If the users logged onto the domain from
these servers...once again, their Domain account policy
would apply.
JWK
the domain controller that they log onto, this is
difficult. In recent training, to give a separate group,
separate account policies, the recommended course of
action was to create a separate child domain. The
alternative was to have the users log onto resources
locally and assign a group policy on the OU that these
servers are members of. In otherwords, you could have S1,
S2, and S3 in an OU called resource servers, with a logon
policy set. The policy would apply to the local logons for
these servers. If the users logged onto the domain from
these servers...once again, their Domain account policy
would apply.
JWK