domain security policy

[Patrick]

Thanks all your help.

I want to setup a security policy on Windows 2000 domain environment to
enforce general user to change their password every 3 months and something
like enforce password history, a/c lock out.

I have the following question:
- Is it applied to all domain users inclued "Domain Administrator"?
- How can exclude some of users like "Domain Administrator" and some
services a/c of above setting?
- If I set these policy in a new created OU level and move geneal user
computer object to this OU (not server and DC object), am I right that the
policy will only apply to these computer.
- What is the best prastice to apply these domain security setting?

Thanks for your help.

Patrick

 

[Brian Komar \(MVP\)]

Some answers inline.

Thanks all your help.

I want to setup a security policy on Windows 2000 domain environment to
enforce general user to change their password every 3 months and something
like enforce password history, a/c lock out.

I have the following question:
- Is it applied to all domain users inclued "Domain Administrator"?

Yes, unless there is a specific account setting override

- How can exclude some of users like "Domain Administrator" and some
services a/c of above setting?

Yes, for the specific account, you can choose to prevent the requirement to
change passwords. But, if you set up complexity, etc, then it must be
followed.

- If I set these policy in a new created OU level and move geneal user
computer object to this OU (not server and DC object), am I right that the
policy will only apply to these computer.

Nope. Account policy is domain wide in a Windows 2000 (and 2003) domain. It
applies to *all* users in the domain.

- What is the best prastice to apply these domain security setting?

Like you are doing.

 

[Patrick]

Thanks your info Brian,

To prevent the requirement to change passwords,
am I right that I can set it from the "Account Tap" of the user property
from "AD User and Computer"--> make it to "never expire".

Thanks again

Patrick

 

[Patrick]

Thanks Brian,

I found the following doc, is it safe to appy it to prevent "Administrator"
or some service a/c to appy those password policy.

http://support.microsoft.com/kb/315675

Thanks

Patrick

 

[Brian Komar \(MVP\)]

Not for the default domain policy
think about it, if there is one policy that mmust be applied to all, that is
it.
This is article is more directed for custom GPOs
Brian

 

[Roger Abell [MVP]]

You could address your requirements completely if you were
running a Windows 2008 domain. With the Windows 2000
domain that you have there is no way to do this.

On a per-account basis you can set some account to have their
passwords never expire (which most people do for service
accounts, but which may not be the best of ideas).

The other policies you have mentioned are always applied to
all accounts of the domain and must be set in a GPO linked to
the domain object. When the policies are set in a GPO linked
to an OU, as you outlined/hypothesized, those policies will only
apply for machine local accounts on computers in the OU (they
will have zero impact on domain accounts).

I noticed that you particularly wanted to exempt admins from
the impact of the policies. I will just note that it is precisely
the more powerful accounts that you ought want forced into
use of better password practices.

Roger

 

[Patrick]

Roger, thanks for your details info

Patrick

You could address your requirements completely if you were
running a Windows 2008 domain. With the Windows 2000
domain that you have there is no way to do this.

On a per-account basis you can set some account to have their
passwords never expire (which most people do for service
accounts, but which may not be the best of ideas).

The other policies you have mentioned are always applied to
all accounts of the domain and must be set in a GPO linked to
the domain object. When the policies are set in a GPO linked
to an OU, as you outlined/hypothesized, those policies will only
apply for machine local accounts on computers in the OU (they
will have zero impact on domain accounts).

I noticed that you particularly wanted to exempt admins from
the impact of the policies. I will just note that it is precisely
the more powerful accounts that you ought want forced into
use of better password practices.

Roger