Archived from groups: microsoft.public.win2000.group_policy (
More info?)
The password policy is enforced by whatever computer owns the user account.
While it is "users" (people) that are affected, password policy is computer
wide; you can't set it differently for different sets of user accounts
"owned" by the same computer.
In a domain, the password policy is usually (in my experience anyway) in the
Default Domain policy so that it is enforced by all domain member computers
and domain controller computers. For domain user accounts, it is the domain
controllers that "own" the user accounts and thus (the domain controller
computers that) enforce the password policy for the domain (as stated by
James). For local user accounts on domain member computers (servers or
workstations), those computers enforce whatever password policy applies to
them (based on whatever GPOs are linked to or inherited by the OU they are
in), which is normally the one in the Default Domain Policy.
For computers that are not in a domain at all, each individual computer
enforces whatever password policy is in affect on it to user accounts that
it owns (e.g. all local user accounts).
For a Terminal Server, if it is a Domain Member, the Default Domain policy
will (normally) apply to it and thus it will enforce the Default Domain
Policy's password policy (if there is one - which is pretty normal) for it's
local user accounts. If you need to, you could presumably apply a different
password policy to a member (Terminal) Server (for local user accounts that
it "owns"), but I guess I don't understand why one would want to do that.
--
Bruce Sanderson MVP
It is perfectly useless to know the right answer to the wrong question.
"Sunnie" <Sunnie@discussions.microsoft.com> wrote in message
news:00CBAB9D-E7A1-4B03-8595-C8FB2B17C3F5@microsoft.com...
> My question is more on permissions and securities. Do I add users/OU's
> under
> the securities area so that the users are forced to change their
> passwords,
> or do I add computers? Because adding computers makes no sense to me,
> since
> it's actually a password for the user and not the computer. Does my
> confusion make any sense?
>
> "jabrandt@online.microsoft.com" wrote:
>
>> You are correct that the password policy settings are in the computer
>> config
>> portion of Group Policy. This is to ensure that all the domain
>> controllers
>> read the same settings. When the users logon to the terminal server,
>> they
>> user a password that is authenticated by the DC's which will abide by the
>> password policy.
>> If this is a stand alone machine the the TS would take the place of the
>> DC.
>>
>> --
>> James Brandt [MSFT]
>>
>>
>> "Sunnie" <Sunnie@discussions.microsoft.com> wrote in message
>> news:EF317F8D-38D0-47C1-B84E-1BF71B27AF33@microsoft.com...
>> > Good Morning, All ~
>> >
>> > I have a simple question, probably more like a stupid one, but here it
>> > goes.
>> >
Everything I have read states that password policies are on the
>> > computer
>> > side. What do you do if you have between 60 to 80 users connecting to
>> > a
>> > terminal server with thin clients?
>> >
>> > I just don't understand how a password policy can be in effect for
>> > these
>> > users. Your help is greatly appreciated!!
>> >
>> > Sunnie
>>
>>
>>
Facebook
Twitter
Instagram