[gptalk] Re: Difficulty applying policies

  • From: Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 11 Jan 2008 17:40:26 -0800

This is a major issue many companies face:

1st thing I would ask is:

Is your company bound by any regulatory compliance specifications? If so less 
complex passwords may violate that.

2nd- your execs need to secure their data and less complex passwords put that 
more at risk- but so does a very difficult password that they end up writing 

I would work with your execs and the exec assistants to understand how to meet 
a strong password that is easy to remember- here are a few examples:

3Golfpro$ -- this has the length- the number, special characters and upper and 
lower case.

As far as Fine-Grained password policies- it is very important to note that 
this is only available when the domain is running in W2k8 native mode so all 
w2k w2k3 domain controllers have to be removed before you can enable that- 2nd- 
this is something that should be kept under wraps right now as it is hard to 
audit and can be a pain to setup.

In the real world what I would recommend for your execs - new laptops with 
fingerprint readers built in- this works great for their own PC- also- if a new 
machine is not in the budget or they have a desktop or a 2nd machine at home- 
the usb connected USB fingerprint readers work great.

And- for all you admins working with vista and user account control- finger 
print readers are great as your user account can be your index finger and your 
administrator account can be your middle finger- it works like a champ- if you 
haven't tried it-pay the 40 bucks and get one to try it out.

My 2 cents hope it helps some,


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of mike kline
Sent: Friday, January 11, 2008 4:58 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Difficulty applying policies

Password policies for domain accounts can't be set at the OU level.  That 
policy is set at the domain level so your domain level policy is still being 

There are some third party tools that may help you out if you want a different 

Windows 2008 will allow you to use fine-grained passwords so Microsoft did 
listen that we wanted this feature.   More info on that here:


On Jan 11, 2008 7:37 PM, Paul Manley 
<paul.manley@xxxxxxxxx<mailto:paul.manley@xxxxxxxxx>> wrote:
Simplified Scenario:  Executives can't remember their difficult passwords.  So 
we are going to let them use smaller non-complex passwords.

Let us assume that this morning I setup Active Directory on a Windows 2003 
server with SP1, but no other updates and created a few users.
I've installed the Group Policy Management snap-in and created a new Group 
Policy Object ( under the Group Policy Objects folder of our domain ) called 
"Exec Password Policy".
I've set the [Computer Configuration]->[Windows Settings]->[Security 
Settings]->[Account Policies]->[Password Policies] to be less restrictive in 
"Exec Password Policy".
I create a new Organizational Unit called "Executives" and place the users in 
Now I "Link an Existing GPO..." on my "Executives" OU selecting the "Executive 
Password Policy".

I try to reset one of the Executives passwords, but I am not allowed:
"Windows cannot complete the password change for Fred Executive because:  The 
password does not meet the password policy requirements.  Check the minimum 
password length, password complexity and password history requirements."

Those are exactly what I have just turned off.  Perhaps you could point out the 
error of my configuration.  I have setup a VM domain this morning to do testing.

 - Paul -

Other related posts: