password policy

[Bob]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

is there a way to specify a password policy that affects just
administrators?

if i setup an OU and place all of our domain admin accounts in it, i'd like
to specify that they have strong password enforcement (stronger than our
regular user community) given the nature of the heightened access their
accounts provide.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Use group policy manager and create a policy specific to that new OU with the
Admin accounts in it.

"Bob" wrote:

> is there a way to specify a password policy that affects just
> administrators?
>
> if i setup an OU and place all of our domain admin accounts in it, i'd like
> to specify that they have strong password enforcement (stronger than our
> regular user community) given the nature of the heightened access their
> accounts provide.
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That can not be done via Group/security policy via normal methods. There can
be only one domain password/account policy for domain users and it is
"computer" configuration - not user configuration which would mean your
method would not work even if it was possible to have multiple
password/account policies per domain. There are a couple workarounds. Some
use scripts or custom password filters, neither which I have ever tried..
Custom password filter is something that takes a good programmer to write.
Others have suggested scripts to force users to change their passwords at
next logon on a schedule different than domain policy. I prefer smart cards
as they increase security dramatically and policy can be configured to
require a user account to use a smart card and force logoff when the smart
card is removed. The downside is that they can only use them on computers
that have smart card readers. Smart card readers are relatively inexpensive
these days and the issuance of certificates is not all that difficult. See
the first link below for possible scripts that you can use from the Windows
Script center many which require easy modification to work in your
environment. The Active Directory command line tools such as dsquery and
dsmod could also be used if you have an XP Pro domain member that could be a
secure admin workstation and that you could install adminpak for Windows
2003 on. --- Steve

http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/default.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en


"Bob" <someone@somewhere.com> wrote in message
news:%23zAkEPiWFHA.3140@TK2MSFTNGP14.phx.gbl...
> is there a way to specify a password policy that affects just
> administrators?
>
> if i setup an OU and place all of our domain admin accounts in it, i'd
> like to specify that they have strong password enforcement (stronger than
> our regular user community) given the nature of the heightened access
> their accounts provide.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

But this will not have any affect whatsoever on the domain user account
object Administrator!

What this will do is create a situation where the local user accounts on the
systems located in that OU will be affected. Not really that useful in a
Domain environment.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Chris Wilkins" <ChrisWilkins@discussions.microsoft.com> wrote in message
news:4245EF6A-4C0B-4C81-858D-D779B452509D@microsoft.com...
> Use group policy manager and create a policy specific to that new OU with
> the
> Admin accounts in it.
>
> "Bob" wrote:
>
>> is there a way to specify a password policy that affects just
>> administrators?
>>
>> if i setup an OU and place all of our domain admin accounts in it, i'd
>> like
>> to specify that they have strong password enforcement (stronger than our
>> regular user community) given the nature of the heightened access their
>> accounts provide.
>>
>>
>>
>>