[windows2000] SV: Re: SV: Re: 2003 Active Directory, Blank Passwords

• From: "Svein Arild Haugum" <svein@xxxxxxxxxxxxxx>
• To: <windows2000@xxxxxxxxxxxxx>
• Date: Fri, 9 Jul 2004 15:45:34 +0200

Did it work?

Mvh
Svein Arild


-----Opprinnelig melding-----
Fra: Matt Fowler [mailto:mfowler@xxxxxxxxxxxxxxxxx]
Sendt: 8. juli 2004 20:57
Til: windows2000@xxxxxxxxxxxxx
Emne: [windows2000] Re: SV: Re: 2003 Active Directory, Blank Passwords


Good idea, thanks.

At 08:52 PM 7/8/04 +0200, you wrote:
>Password policyes are a computer setting, not a user setting. So you cant 
>apply this to a user, or a group containing users, or a OU containing 
>users. (you can, but it wont work).
>
>The domain ONLY reads password policyes from the domain root level. So you 
>HAVE to place the policy here, or use the "Default domain policy". It is 
>the domain controllers who reads this policy and checks it. So you can 
>filter all you want on a user level, but for no good.
>
>You can however set this policy for different computers, but that will 
>only affect local accounts. If you apply a password policy to the "domain 
>controller objects" it will have NO function, since all logons to them are 
>checked in the directory, not localy.
>
>The only workaround I can think of working, is to disable the policy 
>domainwide (temporarily) reset the password for these users to blank, set 
>the password to never expire, and turn the policy back on. Havent tried 
>it, but i would imagine it works, since a password compexity is only 
>checked during password change, not logon.
>
>Mvh
>Svein Arild
>
>
>
>-----Opprinnelig melding-----
>Fra: James Lilly [mailto:LillyJ@xxxxxxxxxxx]
>Sendt: 8. juli 2004 17:01
>Til: windows2000@xxxxxxxxxxxxx; mfowler@xxxxxxxxxxxxxxxxx
>Emne: [windows2000] Re: 2003 Active Directory, Blank Passwords
>
>
>First of all, make sure you have the Group Policy Management Console
>installed, that makes your life much easier, especially when dealing
>with things like this.
>
>Then, in the GPMC, select the policy that restricts passwords, and make
>sure that the Authenticated Users group is listed in the security
>filtering box.  Go to the Delegation tab, click on Advanced, add the
>Group of users you want to allow blank passwords for, and check the Deny
>box for Apply Group Policy.
>
>Then, on the Blank Password group policy, just add the Group of Users
>you want to be able to use blank password to the Security Filtering box,
>and remove Authenticated Users from that box.
>
>That should work unless something strange is different about the
>security policy piece.  Unfortunately, I'm in the process of rebuilding
>my training classroom, so I can't test it out on that specific piece of
>Group Policy.
>
>Make sure that:
>1.  Both policies either only include the password settings, or that
>the other settings are identical, if you want them to be.
>
>2.  Both policies are linked to the domain level.  Password settings
>are only supposed to work at the domain level, but I haven't actually
>tried it in a lab environment to see if that is the case in real life,
>as well.
>
>Let me know if it works or not;
>
>James
>
> >>> mfowler@xxxxxxxxxxxxxxxxx 7/8/2004 10:13:26 AM >>>
>That much I think I understand, we have created a 2nd domain wide
>policy
>but are trying to apply it to only a select set of groups, not the
>entire
>domain. I'm beginning to think that this is impossible to do.
>
>Any additional thoughts?
>
>At 09:09 AM 7/8/04 -0500, you wrote:
> >I thought that this type of Account policy was a Domain wide thing and
>not a
> >specific OU and that wanting different account policies was one of
>the
> >reasons one would set up child domains.
> >
> >Douglas Jensen
> >Douglas.Jensen@xxxxxxxxxxxxx
> >Voice (952) 402-9821
> >Fax    (952) 402-9815
> >Network Administrator
> >Scott Carver Dakota CAP Agency, Inc.
> >712 Canterbury Road
> >Shakopee, MN 55379
> >www.capagency.org
> >
> >
> >-----Original Message-----
> >From: Matt Fowler [mailto:mfowler@xxxxxxxxxxxxxxxxx]
> >Sent: Thursday, July 08, 2004 9:06 AM
> >To: windows2000@xxxxxxxxxxxxx
> >Subject: [windows2000] 2003 Active Directory, Blank Passwords
> >
> >
> >Trying to setup Group Policies to allow a certain group of users the
> >ability to have blank passwords. However, the only way I can get
>blank
> >passwords to be allowed is to apply the GPO to the "authenticated
>users"
> >group. I don't want everyone to have blank passwords, just the users
>of a
> >specific group that are in a specific OU.
> >
> >What is the correct method for doing this? Should I be linking the GPO
>to
> >the OU or should I be using security permissions at the domain level?
> >
> >Thanks for any help,
> >
> >Matt Fowler
> >LAN Specialist
> >(847)925-6113
> >mfowler@xxxxxxxxxxxxxxx
> >********************************************************
> >This Weeks Sponsor StressedPuppy.com Games
> >Feeling stressed out? Check out our games to
> >relieve your stress.
> >http://www.StressedPuppy.com
> >********************************************************
> >To Unsubscribe, set digest or vacation
> >mode or view archives use the below link.
> >
> >http://thethin.net/win2000list.cfm
> >********************************************************
> >This Weeks Sponsor StressedPuppy.com Games
> >Feeling stressed out? Check out our games to
> >relieve your stress.
> >http://www.StressedPuppy.com
> >********************************************************
> >To Unsubscribe, set digest or vacation
> >mode or view archives use the below link.
> >
> >http://thethin.net/win2000list.cfm
>
>Matt Fowler
>LAN Specialist
>(847)925-6113
>mfowler@xxxxxxxxxxxxxxx
>********************************************************
>This Weeks Sponsor StressedPuppy.com Games
>Feeling stressed out? Check out our games to
>relieve your stress.
>http://www.StressedPuppy.com
>********************************************************
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
>
>
>********************************************************
>This Weeks Sponsor StressedPuppy.com Games
>Feeling stressed out? Check out our games to
>relieve your stress.
>http://www.StressedPuppy.com
>********************************************************
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm
>********************************************************
>This Weeks Sponsor StressedPuppy.com Games
>Feeling stressed out? Check out our games to
>relieve your stress.
>http://www.StressedPuppy.com
>********************************************************
>To Unsubscribe, set digest or vacation
>mode or view archives use the below link.
>
>http://thethin.net/win2000list.cfm

Matt Fowler
LAN Specialist
(847)925-6113
mfowler@xxxxxxxxxxxxxxx
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts:

• » [windows2000] SV: Re: SV: Re: 2003 Active Directory, Blank Passwords

1. Home
2. windows2000
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---