>You mention a new domain, does this mean that a child or sub-domain cannot have its own security policy?
Nope - a child domain DOES have a separate security policy. Look at it like this. I have a company that does technical research and then sells it. The marketing folks are in one domain that requires password changes every 45 days with 5 character passwords and locks out their machine for 15 min. after 5 unsuccessful login attempts. BUT! The really sensitive stuff (the intellectual property) of the company is managed and created by the researchers. We need to make sure that the research information is very secure. Given that I can only have one account / password / lockout policy per domain, I create a child of the first domain and call it research.company.com. I move all of the researchers into the research domain and apply the strong password requirements (14 chars, complex required, changes every 10 days, retain 24 password history, etc....) and the lockout duration might be infinite, requiring interaction from administration. So, yes - the password policy is at the domain level and if you have differing requirements for class of user, you are going to need a new domain for that new class of user. Hope this helps.... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen Sent: Monday, March 24, 2003 12:30 PM To: [EMAIL PROTECTED] Thousands of students and teachers will not accept a password policy forcing them to change every 60 days, and i have no valid argument to make them :-) Then there is a part of the staff working with administrative applications, for whom i have to implement a strong policy in the AD as these apps are migrated from Unix to Windows. You mention a new domain, does this mean that a child or sub-domain cannot have its own security policy? Ole > -----Original Message----- > From: Rob Ellis [mailto:[EMAIL PROTECTED] > Sent: Monday, March 24, 2003 3:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Different password policy > > > How much stronger would the policy be compared to the current one? > > Also, when you say a large group of users, what proportion of your > total user base are we talking? > > If its like 75%, then its probably worth applying the policy to > everyone, and save the hassle. > > If not, then I suppose the way to go is a new domain with a trust to > the existing one. > > > Regards, > Rob Ellis > Network Manager > Profectus IT > Tel 023 9224 7979 > Mob 07974 111867 > > > > -----Original Message----- > From: Ole Thomsen [mailto:[EMAIL PROTECTED] > Sent: 24 March 2003 14:43 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Different password policy > > > I need to implement a stronger password policy for a large group of > users in my AD, and run into the infamous domainwide security policy > problem. > > What is the best way to do this, and still being able to let these > users have access to the file/print, Ex2K mailboxes and other > resources they use today? > > Regards, > Ole Thomsen > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
