A
AAO
Recently we implemented a password policy for our institution; however,
during our testing we noticed that on our production AD environment we were
able to implement the following settings via the Default Domain Controllers
Security Policy (DDCSP):
Enforce Password History
Minimum Password Length
Passwords must meet complexity Requirements
These policies were enforced for all domain users and we verified the
validity of these settings through client testing.
The 'Maximum Password Age' and the 'Minimum Password Age' would not apply to
the domain users when set from DDCSP and we needed to enforce this from the
Default Domain Security Policy (DDSP). Needless to say, I was very confused
as to why this worked. I tried these same settings on 2 different AD test
environments and they would not enforce at the DDCSP. My Question is has
anyone else seen this? Why did this work on our production environment?
Based on what I read this should not have worked but it did.
Our Production Setup:
(3) Windows 2000 Domain Controllers with SP4 and all of the latest hot fixes
running in Mixed Mode.
Our Test Environment:
(2) Windows 2000 DC's with SP4 and a couple of hot fixes
Our 2nd Test Environment:
(1) Windows 2000 DC with Service Pack 2 and several hot fixes
Based on all of the Microsoft Knowledge Base Articles and White papers I
could find I've learned that Account Policies such as password, Account
Lockout, and Kerberos Policies can only be enforced for domain users at the
DDSP. In addition I learned that only Auditing and User rights can be
enforced for Domain Controllers at the DDCSP.
AAO
during our testing we noticed that on our production AD environment we were
able to implement the following settings via the Default Domain Controllers
Security Policy (DDCSP):
Enforce Password History
Minimum Password Length
Passwords must meet complexity Requirements
These policies were enforced for all domain users and we verified the
validity of these settings through client testing.
The 'Maximum Password Age' and the 'Minimum Password Age' would not apply to
the domain users when set from DDCSP and we needed to enforce this from the
Default Domain Security Policy (DDSP). Needless to say, I was very confused
as to why this worked. I tried these same settings on 2 different AD test
environments and they would not enforce at the DDCSP. My Question is has
anyone else seen this? Why did this work on our production environment?
Based on what I read this should not have worked but it did.
Our Production Setup:
(3) Windows 2000 Domain Controllers with SP4 and all of the latest hot fixes
running in Mixed Mode.
Our Test Environment:
(2) Windows 2000 DC's with SP4 and a couple of hot fixes
Our 2nd Test Environment:
(1) Windows 2000 DC with Service Pack 2 and several hot fixes
Based on all of the Microsoft Knowledge Base Articles and White papers I
could find I've learned that Account Policies such as password, Account
Lockout, and Kerberos Policies can only be enforced for domain users at the
DDSP. In addition I learned that only Auditing and User rights can be
enforced for Domain Controllers at the DDCSP.
AAO