Security Settings for Password Policy and User properties

  • Thread starter Thread starter Peter
  • Start date Start date
P

Peter

I'm using a standalone Windows XP SP2 machine. I see the following security
settings for password policy:

Enforce password history
Maximum password age
Minimum password age
Minimum password length
Passwords Must Meet Complexity Requirements
Store Password Using Reversible Encryption For All Users In The Domain

and the following settings in User properties:

User must change password at next logon
User cannot change password
Password never expires
Account is disabled
Account is locked out

1. Is there a way to set up policy to control those settings in User
Properties in this standalone Windows XP SP2 machine?
2. If the Windows XP SP2 machine is joined to a domain, will there be more
security settings for Password Policy and more User properties?
 
Peter said:
I'm using a standalone Windows XP SP2 machine. I see the following
security settings for password policy:

Enforce password history
Maximum password age
Minimum password age
Minimum password length
Passwords Must Meet Complexity Requirements
Store Password Using Reversible Encryption For All Users In The Domain

and the following settings in User properties:

User must change password at next logon
User cannot change password
Password never expires
Account is disabled
Account is locked out

1. Is there a way to set up policy to control those settings in User
Properties in this standalone Windows XP SP2 machine?

Policies in a standalone PC will apply to all users.
2. If the Windows XP SP2 machine is joined to a domain, will there
be more security settings for Password Policy and more User
properties?

In a domain you use group policy. Password policies apply to all users (as
they have to be linked at the domain level). Of course, these are domain
accounts, not local workstation user accounts.
What exactly is it you want to control ?
 
Hi Lanwench,

I understand that policies in a standalone PC will apply to all users but
those User Properties (e.g. User must change password at next logon) are not
in the password policy. So, how can I add those User Properties to password
policy or create a user-defined policy containing those User Properties?

Does password policy under group policy in a domain have more settings than
the corresponding password policy under local security policy in a standlone
machine?
 
Peter said:
Hi Lanwench,

I understand that policies in a standalone PC will apply to all users
but those User Properties (e.g. User must change password at next
logon) are not in the password policy. So, how can I add those User
Properties to password policy or create a user-defined policy
containing those User Properties?

I don't think you can.
Does password policy under group policy in a domain have more
settings than the corresponding password policy under local security
policy in a standlone machine?

The "user must change pw at next login" is not a policy thing. I'm not sure
of your actual goal here so it's not easy to answer your questions. It would
be better if you told us what it was you were trying to accomplish.
 
Hi Lanwench,

I'm trying to understand the log file generated by Security Configuation and
Analysis. If the "user must change pw at next login" is not a policy thing,
what is the entry "Not Configured - RequireLogonToChangePassword" in the log
file?

Here is a section of the log file:

----Analyze Security Policy...
Mismatch - MinimumPasswordLength.
Mismatch - PasswordHistorySize.
Mismatch - MinimumPasswordAge.
Mismatch - PasswordComplexity.
Not Configured - RequireLogonToChangePassword.
Analyze password information.
Mismatch - LockoutBadCount.
Analyze account lockout information.
Not Configured - ForceLogOffWhenHourExpire.
Analyze account force logoff information.
Not Configured - NewAdministratorName.
Not Configured - NewGuestName.
Analyze LSA anonymous lookup setting.
Not Configured - EnableAdminAccount.
Analyze other policy settings.
Not Configured - ResetLockoutCount.
Not Configured - LockoutDuration.

I'm trying to figure out where I can configure all these settings. I can
find most of them in the Password Policy and Account Lockout Policy. If
those settings that are not in the Password Policy and Account Lockout Policy
are per user settings only, should the Security Configuation and Analysis
indicate the user name?
 
Peter said:
Hi Lanwench,

I'm trying to understand the log file generated by Security
Configuation and Analysis. If the "user must change pw at next
login" is not a policy thing, what is the entry "Not Configured -
RequireLogonToChangePassword" in the log file?

Here is a section of the log file:

----Analyze Security Policy...
Mismatch - MinimumPasswordLength.
Mismatch - PasswordHistorySize.
Mismatch - MinimumPasswordAge.
Mismatch - PasswordComplexity.
Not Configured - RequireLogonToChangePassword.
Analyze password information.
Mismatch - LockoutBadCount.
Analyze account lockout information.
Not Configured - ForceLogOffWhenHourExpire.
Analyze account force logoff information.
Not Configured - NewAdministratorName.
Not Configured - NewGuestName.
Analyze LSA anonymous lookup setting.
Not Configured - EnableAdminAccount.
Analyze other policy settings.
Not Configured - ResetLockoutCount.
Not Configured - LockoutDuration.

I'm trying to figure out where I can configure all these settings. I
can find most of them in the Password Policy and Account Lockout
Policy. If those settings that are not in the Password Policy and
Account Lockout Policy are per user settings only, should the
Security Configuation and Analysis indicate the user name?

Hmmm. I'm really not sure. I suggest you post in
microsoft.public.windows.group_policy for more info on this. All I know is
that the change pw on next login stuff is part of the GUI, not visible in
group policy.
 
Back
Top