Question regarding Group Policy

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am an administrator of a small company. About
7 machines. I have a windows 2000 domain. I like to setup a security policy
where
user will have a password of 8 charcters in length. The password
should be complex. It should pop for change every 40 days. Lockout
after 3 tries. lockout for 10 minutes.

I think I can make these changes. I don't have any OU in AD currently.
My question is how do I do this. Do I make a new group policy and
apply ( if so how).

How can undo changes incase something goes wrong.
I don't want to be in a situation where I actually lockout administrator of
the domain. Please advice.

I like to discuss with someone knowledgeable in this field. Please let me
know what would be the best time to reach you and if you are kind
enough to share with me your phone number you can be reached.

send info at supportj@gmail.com

Thanks,
Jazzman
2 answers Last reply
More about question group policy
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Password policies should be defined at the domain level, you should create a
    new policy there that contains your password requirements. By default, the
    built-in administrator account cannot be locked out so you shouldn't have to
    worry about that.

    "Jazzman" <Jazzman@discussions.microsoft.com> wrote in message
    news:AB925474-BDE6-46DD-8F26-6A64DB4388DB@microsoft.com...
    >I am an administrator of a small company. About
    > 7 machines. I have a windows 2000 domain. I like to setup a security
    > policy
    > where
    > user will have a password of 8 charcters in length. The password
    > should be complex. It should pop for change every 40 days. Lockout
    > after 3 tries. lockout for 10 minutes.
    >
    > I think I can make these changes. I don't have any OU in AD currently.
    > My question is how do I do this. Do I make a new group policy and
    > apply ( if so how).
    >
    > How can undo changes incase something goes wrong.
    > I don't want to be in a situation where I actually lockout administrator
    > of
    > the domain. Please advice.
    >
    > I like to discuss with someone knowledgeable in this field. Please let me
    > know what would be the best time to reach you and if you are kind
    > enough to share with me your phone number you can be reached.
    >
    > send info at supportj@gmail.com
    >
    > Thanks,
    > Jazzman
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You already have password/account policy defined for your domain users in
    Domain Security Policy. You can modify that to suit your needs. For domain
    users you can only configure password/account policy at the domain level. I
    would however suggest that you set your account lockout threshold to be no
    less than ten bad attempts to minimize the number of accidental lockouts
    while still providing protection for brute password attacks. Account
    lockouts are a dual edge sword in that they can be used as a denial of
    service attack against all but the built in administrator account. That is
    why many do not use if they are not required to but instead use passwords of
    sufficient strength to prevent password attacks from succeeding before the
    password is changed again. You could fit into that category with password
    complexity enabled and a minimum password length of eight characters within
    a forty day period if you disable storage of lm hashes on your domain
    controller and other sensitive computers. It is possible to even force much
    longer and secure passwords if users are trained to use pass phrases such as
    "I forget my stupid password!". The Microsoft Threats and Countermeasures
    Guide goes into detail on this and a whole lot more. It is geared to XP
    Pro/Windows 2003 but much applies also to Windows 2000 and is available at
    the second link below. --- Steve

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& --
    disable lm hashes
    http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en


    "Jazzman" <Jazzman@discussions.microsoft.com> wrote in message
    news:AB925474-BDE6-46DD-8F26-6A64DB4388DB@microsoft.com...
    >I am an administrator of a small company. About
    > 7 machines. I have a windows 2000 domain. I like to setup a security
    > policy
    > where
    > user will have a password of 8 charcters in length. The password
    > should be complex. It should pop for change every 40 days. Lockout
    > after 3 tries. lockout for 10 minutes.
    >
    > I think I can make these changes. I don't have any OU in AD currently.
    > My question is how do I do this. Do I make a new group policy and
    > apply ( if so how).
    >
    > How can undo changes incase something goes wrong.
    > I don't want to be in a situation where I actually lockout administrator
    > of
    > the domain. Please advice.
    >
    > I like to discuss with someone knowledgeable in this field. Please let me
    > know what would be the best time to reach you and if you are kind
    > enough to share with me your phone number you can be reached.
    >
    > send info at supportj@gmail.com
    >
    > Thanks,
    > Jazzman
    >
    >
Ask a new question

Read More

Policy Windows 2000 Microsoft Windows