[windows2000] SV: Re: 2003 Active Directory, Blank Passwords
- From: "Svein Arild Haugum" <svein@xxxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Thu, 8 Jul 2004 20:52:09 +0200
Password policyes are a computer setting, not a user setting. So you cant apply
this to a user, or a group containing users, or a OU containing users. (you
can, but it wont work).
The domain ONLY reads password policyes from the domain root level. So you HAVE
to place the policy here, or use the "Default domain policy". It is the domain
controllers who reads this policy and checks it. So you can filter all you want
on a user level, but for no good.
You can however set this policy for different computers, but that will only
affect local accounts. If you apply a password policy to the "domain controller
objects" it will have NO function, since all logons to them are checked in the
directory, not localy.
The only workaround I can think of working, is to disable the policy domainwide
(temporarily) reset the password for these users to blank, set the password to
never expire, and turn the policy back on. Havent tried it, but i would imagine
it works, since a password compexity is only checked during password change,
not logon.
Mvh
Svein Arild
-----Opprinnelig melding-----
Fra: James Lilly [mailto:LillyJ@xxxxxxxxxxx]
Sendt: 8. juli 2004 17:01
Til: windows2000@xxxxxxxxxxxxx; mfowler@xxxxxxxxxxxxxxxxx
Emne: [windows2000] Re: 2003 Active Directory, Blank Passwords
First of all, make sure you have the Group Policy Management Console
installed, that makes your life much easier, especially when dealing
with things like this.
Then, in the GPMC, select the policy that restricts passwords, and make
sure that the Authenticated Users group is listed in the security
filtering box. Go to the Delegation tab, click on Advanced, add the
Group of users you want to allow blank passwords for, and check the Deny
box for Apply Group Policy.
Then, on the Blank Password group policy, just add the Group of Users
you want to be able to use blank password to the Security Filtering box,
and remove Authenticated Users from that box.
That should work unless something strange is different about the
security policy piece. Unfortunately, I'm in the process of rebuilding
my training classroom, so I can't test it out on that specific piece of
Group Policy.
Make sure that:
1. Both policies either only include the password settings, or that
the other settings are identical, if you want them to be.
2. Both policies are linked to the domain level. Password settings
are only supposed to work at the domain level, but I haven't actually
tried it in a lab environment to see if that is the case in real life,
as well.
Let me know if it works or not;
James
>>> mfowler@xxxxxxxxxxxxxxxxx 7/8/2004 10:13:26 AM >>>
That much I think I understand, we have created a 2nd domain wide
policy
but are trying to apply it to only a select set of groups, not the
entire
domain. I'm beginning to think that this is impossible to do.
Any additional thoughts?
At 09:09 AM 7/8/04 -0500, you wrote:
>I thought that this type of Account policy was a Domain wide thing and
not a
>specific OU and that wanting different account policies was one of
the
>reasons one would set up child domains.
>
>Douglas Jensen
>Douglas.Jensen@xxxxxxxxxxxxx
>Voice (952) 402-9821
>Fax (952) 402-9815
>Network Administrator
>Scott Carver Dakota CAP Agency, Inc.
>712 Canterbury Road
>Shakopee, MN 55379
>www.capagency.org
>
>
>-----Original Message-----
>From: Matt Fowler [mailto:mfowler@xxxxxxxxxxxxxxxxx]
>Sent: Thursday, July 08, 2004 9:06 AM
>To: windows2000@xxxxxxxxxxxxx
>Subject: [windows2000] 2003 Active Directory, Blank Passwords
>
>
>Trying to setup Group Policies to allow a certain group of users the
>ability to have blank passwords. However, the only way I can get
blank
>passwords to be allowed is to apply the GPO to the "authenticated
users"
>group. I don't want everyone to have blank passwords, just the users
of a
>specific group that are in a specific OU.
>
>What is the correct method for doing this? Should I be linking the GPO
to
>the OU or should I be using security permissions at the domain level?
>
>Thanks for any help,
>
>Matt Fowler
>LAN Specialist
>(847)925-6113
>mfowler@xxxxxxxxxxxxxxx
>********************************************************
>This Weeks Sponsor StressedPuppy.com Games
>Feeling stressed out? Check out our games to
>relieve your stress.
>http://www.StressedPuppy.com
>********************************************************
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
>********************************************************
>This Weeks Sponsor StressedPuppy.com Games
>Feeling stressed out? Check out our games to
>relieve your stress.
>http://www.StressedPuppy.com
>********************************************************
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
Matt Fowler
LAN Specialist
(847)925-6113
mfowler@xxxxxxxxxxxxxxx
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
