Different Password age

  • Thread starter Thread starter Jim
  • Start date Start date
J

Jim

Hi,

Wonder if it is possible to set different password age for different group,
i.e. 30 days for Finance grp users and 90 days for Marketing grp users.

Thanks
Jimmy
 
Hi Jim,

no this is not possible. You can only set the password policy on domain
level (one domain = one password policy).

So if you have users in Finance department they would need to be in
different domain then users from Marketing department.
 
Thanks, Mike, for the prompt response.

Assume that the grping is small.

Could we set it at local policy on individual pc? Or will the Domain policy
take precedence?

Rgds
Jim
 
Domain policy will take precedence since user accounts are stored in domain
(on domain controllers).

Local policy will only have influence on local account -- that users in most
cases should not be using.

If you think about it logically it doesn't make sense to have different
policy inside same domain. As an attacker I only have to figure out which
users have least restricted account and then "guess" their passwords. Now I
have access to whole domain and I don't have to bother with any other users
that might have strong passwords (I already have access to domain).
 
Thanks , Mik, for your clarification.

Miha Pihler said:
Domain policy will take precedence since user accounts are stored in domain
(on domain controllers).

Local policy will only have influence on local account -- that users in most
cases should not be using.

If you think about it logically it doesn't make sense to have different
policy inside same domain. As an attacker I only have to figure out which
users have least restricted account and then "guess" their passwords. Now I
have access to whole domain and I don't have to bother with any other users
that might have strong passwords (I already have access to domain).
Click to expand...
 
Jim said:
Hi,

Wonder if it is possible to set different password age for different group,
i.e. 30 days for Finance grp users and 90 days for Marketing grp users.

Thanks
Jimmy
Click to expand...
Though it is not possible to set different password ages, it is possible
to write a script to expire the passwords on the accounts that need the
more restrictive password ages. It would have to run on a server every
night. This is not a real desirable method, but it will work. One
thing you loose is warnings for approaching password changes.
Essentially this is setting the "User must change password at next logon".

Ken
 
Back
Top