Question regarding Group Policy

[Guest]

I am an administrator of a small company. About
7 machines. I have a windows 2000 domain. I like to setup a security policy
where
user will have a password of 8 charcters in length. The password
should be complex. It should pop for change every 40 days. Lockout
after 3 tries. lockout for 10 minutes.

I think I can make these changes. I don't have any OU in AD currently.
My question is how do I do this. Do I make a new group policy and
apply ( if so how).

How can undo changes incase something goes wrong.
I don't want to be in a situation where I actually lockout administrator of
the domain. Please advice.

I like to discuss with someone knowledgeable in this field. Please let me
know what would be the best time to reach you and if you are kind
enough to share with me your phone number you can be reached.

send info at (e-mail address removed)

Thanks,
Jazzman

 

[Simon Geary]

Password policies should be defined at the domain level, you should create a
new policy there that contains your password requirements. By default, the
built-in administrator account cannot be locked out so you shouldn't have to
worry about that.

 

[Steven L Umbach]

You already have password/account policy defined for your domain users in
Domain Security Policy. You can modify that to suit your needs. For domain
users you can only configure password/account policy at the domain level. I
would however suggest that you set your account lockout threshold to be no
less than ten bad attempts to minimize the number of accidental lockouts
while still providing protection for brute password attacks. Account
lockouts are a dual edge sword in that they can be used as a denial of
service attack against all but the built in administrator account. That is
why many do not use if they are not required to but instead use passwords of
sufficient strength to prevent password attacks from succeeding before the
password is changed again. You could fit into that category with password
complexity enabled and a minimum password length of eight characters within
a forty day period if you disable storage of lm hashes on your domain
controller and other sensitive computers. It is possible to even force much
longer and secure passwords if users are trained to use pass phrases such as
"I forget my stupid password!". The Microsoft Threats and Countermeasures
Guide goes into detail on this and a whole lot more. It is geared to XP
Pro/Windows 2003 but much applies also to Windows 2000 and is available at
the second link below. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& --
disable lm hashes
http://www.microsoft.com/downloads/...93-147A-4481-9346-F93A4081EEA8&displaylang=en