Here is a sort of convoluted albeit possible solution to the issue. It will be much easier to manage and design with the assistance of a comprehensive management platform that enforces business rules and manages access control.
The idea is to audit the contents of an OU specifically users. Evaluate password age in one of many ways depending on the specific needs but find out how old the password is and evaluate it against the tighter password policy you want to apply to that container. To create a solution that creates an experience for the user the same or similar to that of a domain wide password policy you will have to figure out if the password is x number of days old and start presenting the user with the "your password will expire in x days..." and when the grace period is over switch the flag for "user must change password at next logon." There are many reasons why this is more possible with a comprehensive management platform like <gratuitous plug> Aelita Enterprise Directory Manager </gratuitous plug>. The first reason specifically mentioned as a requirement is having this setting apply to many different users throughout the enterprise. With a good management platform you can create essentially virtual containers that are query based and can be managed with rules like the one mentioned here. These management platforms will allow you advanced features like reporting that can kick off an automation job. The flexibility is very deep. Let me know offline if you want some more details. Kevin Aelita -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 6:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Different password policy The only way is to split the domain due to 'infamous domainwide security policy problem'... a drastic step. I guess you need to look at why you need a separate policy, and what would the implications be of enforcing the 'stronger password policy' domain wide. BR Robert Rutherford Ole Thomsen <[EMAIL PROTECTED]> Sent by: To: [EMAIL PROTECTED] [EMAIL PROTECTED] cc: tivedir.org Subject: [ActiveDir] Different password policy 24/03/2003 14:43 Please respond to ActiveDir I need to implement a stronger password policy for a large group of users in my AD, and run into the infamous domainwide security policy problem. What is the best way to do this, and still being able to let these users have access to the file/print, Ex2K mailboxes and other resources they use today? Regards, Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ******************************************************************** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ******************************************************************** This footnote signifies that this message has been checked for viruses by MailswpUK1 ******************************************************************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
