SOX compliant .. different password policy need for privil

  • Thread starter Thread starter John
  • Start date Start date
J

John

Hello All
Due to recent SOX requirements we are require to have a different password
policy for all privilege accounts however our Win2003 forest consist of a
single domain . We would of like to implement the empty root design model in
this way all our privilege accounts would reside in the root domain and all
users accounts would reside in the child domain. However this design model
is not an option since we have currently have a flat single forest /single
domain and restructuring our forest to include an empty domain would be
impossible, or is it possible ? .
My question is how do I implement a different password policy for all my
privilege accounts ?
I had one idea but no sure if this would work. ..Create a non contiguous
domain tree and this domain will contain all my privilege accounts thus
using a different password policy. But I would also need these privilege
accounts to be domain admins of the entire forest , would this work ?

Any idea's would certainly be appreciated
TIA..
John
 
Creating a new domain tree in the forest should work. You're correct that
it's not really an empty root implementation, but it should work for what you
want to do. Create a new domain tree in the forest with the new password
policy. You can use the MoveTree utility
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to move the
privileged accounts from the current domain to the new one, or you can create
new privileged accounts in the new domain. (If you move the accounts from the
original domain, I believe the new password policy will not come into effect
untly the next time the password is reset). Either way, add the privileged
users to the Enterprise Administrators group in the forest root domain, and
they will have administrative privileges throughout the enterprise. You can
keep their non-privileged accounts in the original domain with the original
password policy - your administrators have non-privileged accounts for
everyday use, of course...right? :-)

Hope this helps.

Steve
 
I agree. I wasn't even thinking about the administrator account in the
current forest root. So a more thorough answer would be to create a new
domain tree or child domain, have the password policy for the new domain
match the existing domain, move all user accounts to the new domain, modify
the password policy on the forest root domain to meet the SOX requirements,
and force all administrative accounts to reset their passwords under the new
requirements. One issue you will continue to have is that the default admin
account on the new domain will only require a password that meets the less
strict requirements of that domain, but I'm not sure how to get around that.

Steve
 
Hi,

The easiest way of resolving your issue is to create a new domain.
Sounds easy right? But for people who do not have the resources or the
financial backing for new servers, and having to administer another
domain this can be cumbersome.
Have you looked at any third party software? There are a few products
out there that allow you to achieve exactly what you are trying to do
within the infrastructure you already have in place. No need of
additional DC's within a different domain.
Another option is that you can create your own password filter if you
have strong programming skills.

Password Filters
http://msdn.microsoft.com/library/d...y/en-us/secmgmt/security/password_filters.asp

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com
 
Hi,

I am curious to know if once a forest and a root domain is created, can
we create an empty root domain after the fact?

Harj Singh
 
Back
Top