Simple question on Password Policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Good Morning, All ~

I have a simple question, probably more like a stupid one, but here it goes.
:) Everything I have read states that password policies are on the computer
side. What do you do if you have between 60 to 80 users connecting to a
terminal server with thin clients?

I just don't understand how a password policy can be in effect for these
users. Your help is greatly appreciated!!

Sunnie
 
You are correct that the password policy settings are in the computer config
portion of Group Policy. This is to ensure that all the domain controllers
read the same settings. When the users logon to the terminal server, they
user a password that is authenticated by the DC's which will abide by the
password policy.
If this is a stand alone machine the the TS would take the place of the DC.
 
My question is more on permissions and securities. Do I add users/OU's under
the securities area so that the users are forced to change their passwords,
or do I add computers? Because adding computers makes no sense to me, since
it's actually a password for the user and not the computer. Does my
confusion make any sense? :-)

You are correct that the password policy settings are in the computer config
portion of Group Policy. This is to ensure that all the domain controllers
read the same settings. When the users logon to the terminal server, they
user a password that is authenticated by the DC's which will abide by the
password policy.
If this is a stand alone machine the the TS would take the place of the DC.

--
James Brandt [MSFT]


Sunnie said:
Good Morning, All ~

I have a simple question, probably more like a stupid one, but here it
goes.
:) Everything I have read states that password policies are on the
computer
side. What do you do if you have between 60 to 80 users connecting to a
terminal server with thin clients?

I just don't understand how a password policy can be in effect for these
users. Your help is greatly appreciated!!

Sunnie
 
The password policy is enforced by whatever computer owns the user account.

While it is "users" (people) that are affected, password policy is computer
wide; you can't set it differently for different sets of user accounts
"owned" by the same computer.

In a domain, the password policy is usually (in my experience anyway) in the
Default Domain policy so that it is enforced by all domain member computers
and domain controller computers. For domain user accounts, it is the domain
controllers that "own" the user accounts and thus (the domain controller
computers that) enforce the password policy for the domain (as stated by
James). For local user accounts on domain member computers (servers or
workstations), those computers enforce whatever password policy applies to
them (based on whatever GPOs are linked to or inherited by the OU they are
in), which is normally the one in the Default Domain Policy.

For computers that are not in a domain at all, each individual computer
enforces whatever password policy is in affect on it to user accounts that
it owns (e.g. all local user accounts).

For a Terminal Server, if it is a Domain Member, the Default Domain policy
will (normally) apply to it and thus it will enforce the Default Domain
Policy's password policy (if there is one - which is pretty normal) for it's
local user accounts. If you need to, you could presumably apply a different
password policy to a member (Terminal) Server (for local user accounts that
it "owns"), but I guess I don't understand why one would want to do that.


--
Bruce Sanderson MVP

It is perfectly useless to know the right answer to the wrong question.


Sunnie said:
My question is more on permissions and securities. Do I add users/OU's
under
the securities area so that the users are forced to change their
passwords,
or do I add computers? Because adding computers makes no sense to me,
since
it's actually a password for the user and not the computer. Does my
confusion make any sense? :-)

You are correct that the password policy settings are in the computer
config
portion of Group Policy. This is to ensure that all the domain
controllers
read the same settings. When the users logon to the terminal server,
they
user a password that is authenticated by the DC's which will abide by the
password policy.
If this is a stand alone machine the the TS would take the place of the
DC.

--
James Brandt [MSFT]


Sunnie said:
Good Morning, All ~

I have a simple question, probably more like a stupid one, but here it
goes.
:) Everything I have read states that password policies are on the
computer
side. What do you do if you have between 60 to 80 users connecting to
a
terminal server with thin clients?

I just don't understand how a password policy can be in effect for
these
users. Your help is greatly appreciated!!

Sunnie
 
Back
Top