(Msg. 1) Posted: Mon Jun 30, 2008 6:52 am
Post subject: Do my account policies really work ? Archived from groups: microsoft>public>win2000>group_policy (more info?)
Hello
We have set the beginning of the year that the users have to change their
password and meet password complexity.
Here are the settings:
Password history : 24 passwords remembered
Minimum password age: 0
Maximum password age: 120
Password must meet complexity is enabled
The option "Password never expires" is NOT set on user objects.
The policy has been limked to the top of the domain.
I have just discovered that one user has never changed its password since
January 4th.... it's a lot more than 120 days... so why ? I asked the user
who stated that the system has never asked for a password change...
How can I check if the policy really works and what could affect that it
doesn't work fine, knowing that the complexity seems to be asked when
changing its password ?
(Msg. 2) Posted: Mon Jun 30, 2008 3:57 pm
Post subject: Re: Do my account policies really work ? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Howdie!
Nicolas Heyer schrieb:
> Password history : 24 passwords remembered
> Minimum password age: 0
Setting it to 0 is a bad idea since people could change it just 24 times
in a row and then re-enter their previous password.
> The policy has been limked to the top of the domain.
How's the linking order? Is the Password Policy the one linked at the
"top" of all policies when you look at the list at the domain level? Or
is at least the one policy that's linked highest when it comes to
Password settings?
(Msg. 3) Posted: Mon Jun 30, 2008 3:57 pm
Post subject: Re: Do my account policies really work ? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
there are 6 group policies linked to the domain level, the account policy is
set as 5th policy, but the other policies have, I think, nothing to do with
account policy. Should I change the order and set the policy to be enforced ?
Regards
Nicolas
P.S. : yes, I know that 0 is not the best setting for minimum password
age... we will change it, but I also think that a user will probably try 3 or
5 times but almost never 24 times, or he really has nothing else to do at
work... but you're right, it's a lack of security...
"Florian Frommherz [MVP]" wrote:
> Howdie!
>
> Nicolas Heyer schrieb:
> > Password history : 24 passwords remembered
> > Minimum password age: 0
>
> Setting it to 0 is a bad idea since people could change it just 24 times
> in a row and then re-enter their previous password.
>
> > The policy has been limked to the top of the domain.
>
> How's the linking order? Is the Password Policy the one linked at the
> "top" of all policies when you look at the list at the domain level? Or
> is at least the one policy that's linked highest when it comes to
> Password settings?
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Windows Server - Group Policy.
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog. > Use a newsreader! http://www.frickelsoft.net/news.html >
(Msg. 4) Posted: Fri Jul 25, 2008 3:36 pm
Post subject: Re: Do my account policies really work ? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Quoted from
http://technet2.microsoft.com/windowsserver/en/library/353f7ad9-b53d-4...-9867-1
"For domain accounts, there can be only one account policy per domain.
The account policy must be defined in the Default Domain Policy or in
a new policy that is linked to the root of the domain and given
precedence over the Default Domain Policy, which is enforced by the
domain controllers that make up the domain. A domain controller always
pulls the account policy from a Group Policy object (GPO)linked to the
domain, which by default is the Default Domain Policy GPO. This
behavior occurs even if there is a different account policy applied to
the organizational unit (OU) that contains the domain controller."
Hope that helps if it wasn't answered already.
-dweez
On Mon, 30 Jun 2008 08:16:03 -0700, Nicolas Heyer
<NicolasHeyer DeleteThis @discussions.microsoft.com> wrote:
>there are 6 group policies linked to the domain level, the account policy is
>set as 5th policy, but the other policies have, I think, nothing to do with
>account policy. Should I change the order and set the policy to be enforced ?
>
>
>
>Regards
>Nicolas
>
>P.S. : yes, I know that 0 is not the best setting for minimum password
>age... we will change it, but I also think that a user will probably try 3 or
>5 times but almost never 24 times, or he really has nothing else to do at
>work... but you're right, it's a lack of security...
>
>
>"Florian Frommherz [MVP]" wrote:
>
>> Howdie!
>>
>> Nicolas Heyer schrieb:
>> > Password history : 24 passwords remembered
>> > Minimum password age: 0
>>
>> Setting it to 0 is a bad idea since people could change it just 24 times
>> in a row and then re-enter their previous password.
>>
>> > The policy has been limked to the top of the domain.
>>
>> How's the linking order? Is the Password Policy the one linked at the
>> "top" of all policies when you look at the list at the domain level? Or
>> is at least the one policy that's linked highest when it comes to
>> Password settings?
>>
>> cheers,
>>
>> Florian
>> --
>> Microsoft MVP - Windows Server - Group Policy.
>> eMail: prename [at] frickelsoft [dot] net.
>> blog: http://www.frickelsoft.net/blog. >> Use a newsreader! http://www.frickelsoft.net/news.html >>
(Msg. 5) Posted: Sat Jul 26, 2008 1:24 pm
Post subject: Re: Do my account policies really work ? [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Nicolas,
Nicolas Heyer wrote:
> there are 6 group policies linked to the domain level, the account policy is
> set as 5th policy, but the other policies have, I think, nothing to do with
> account policy. Should I change the order and set the policy to be enforced ?
You can check that easily using the GPMC and the settings tab for those
policies. Only one Password Policy is applied - it's the "upper most"
Password Policy the system can find at the domain root. So moving your
Default Domain Policy to the top of the list should do the trick. But
don't enforce it.
If the policy still doesn't apply-- is inheritance blocked at the Domain
Controllers-OU?
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other