Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Ken's on the right track.
Although the Account Policies (including password length) is in Computer
Configuration, it applies to user accounts.
a. Account Policies settings in the Default Domain Policy apply all domain
user accounts regardless of which computer they happen to logon to; the
Default Domain Policy is the ONLY place this setting has any affect on
domain user accounts.
b. Account Policies settings in some other GPO, apply to all Local User
Accounts on computers whose computer account is within the scope of that GPO
This is explained in the Help for Security Settings (Group Policy Editor,
right click Computer Configuration\Windows Settings\Security
Settings\Account Policies, select Help, Security Settings\Concepts\Security
Settings Descriptions\Account Policies)
You can not apply a password length policy on a user by user basis.
If you only want some domain user accounts to be able to logon to some
computers, you can remove the Domain Users group from the local Users group
on those computers and add a group that has just the user account you want
to be able to logon. You can do this in a GPO using Restricted Groups -
however, if you aren't careful, you could prevent anyone from logging on at
any computer, so make sure you only apply such a GPO to an OU which has only
the computer accounts you want to apply this to.
Or, you can do as Ken suggested and set the Logon Locally right to include
just the group(s) of users you want to be able to logon. Again, test this
carefully on a few test computers, so you don't shoot yourself in the foot
(e.g. end up preventing Adminstrators from logging on!)
--
Bruce Sanderson MVP
It's perfectly useless to know the right answer to the wrong question.
"Ken B" <none@microsoft.com> wrote in message
news:O2Jcw1hNFHA.3928@TK2MSFTNGP09.phx.gbl...
> First problem is that password policies are set at the domain level. So
> your password policy can be either 4 or 12 characters.
>
> I believe there's a setting in Computer Configuration>Windows Settings>
> Security Settings> Local Policies> User Rights Assignments> Log on locally
>
> If you add the users to that policy, and place the computers in an OU with
> that policy applied, you'll be able to do what you want... but can Lara,
> Steve, Bruce, or Jerold confirm that I have that right?
>
> Ken
>
> "kelmel" <kelmel@discussions.microsoft.com> wrote in message
> news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
>>I have certain computers on my network that I want to restrict who logs
>>on.
>> I have set a group policy that requires a 12 character minimum password
>> length but users who have four characters can still log on. The server
>> is
>> Windows 2000 and the computers are XP. I know that I could go into the
>> user
>> account and set up what computers to log on to but I have close to 1000
>> users
>> and many computers and I want an easier way. Thanks for any help.
>
>
Facebook
Twitter
Instagram