Yes – that makes sense – At
least I understand why my OU-level GPO’s seemed to be ignoring the
password requirements. I still don’t understand why Microsoft chose to
make password requirements a feature of the DC and not the user, however. The
only solution is to have multiple sites!!
Thanks,
Kurt
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 12, 2005 1:29
PM
To: [email protected]
Subject: RE: [ActiveDir] Password
complexity requirements
Kurt,
The
password policy is a computer setting, and it can't be configured the way
you've described. Its a computer setting for good reason...the computer
is the point of enforcement of the policy. In the case of the
configuration you've described, the local accounts on the computers in those
OUs will have the differing password requirements, not the users domain
accounts that are used to log on to those systems. You can block GPO
inheritance all you want, the policy is enfoced by the domain controllers for
domain accounts.
The
computer policy is applied, and the computer in turn applies that policy to
accounts which it "owns". In the case of the DCs, its domain
accounts. In the case of clients systems, its those client systems'
local accounts.
In
the case of your Los Alamos example, the
users' accounts are on the DC, so it doesn't matter where they reset their
password from. The DC owns the account and applies the policy rules to
the password.
Hope
that made sense.
rb
|
Kurt Hill
<[EMAIL PROTECTED]>
Sent
by: [EMAIL PROTECTED]
04/12/2005 12:57 PM
|
|
You
can link a GPO to an OU with a different set of password requirements
than the domain policy -- you can block the OU
from inheriting the Default
Domain Policy as well, so AFAIK, you can have many
OU's, each with different
password complexity requirements (or more
generally, each OU with it's own
computer/user GPO settings). The statement
about "you certainly don't want
policies attached to 2000 users" also makes
no sense -- the GPO is created
once, and "attaches itself" to the user
or computer as appropriate for the
OU...
And finally -- let me suggest that were I running Los Alamos, I would want
my super-gee-whiz nuclear weapons researches to
have complex passwords. I
WOULD NOT WANT THEM GOING TO A SECRETARIES
COMPUTER AND CHANGING THEIR
PASSWORD TO "foo". Passwords are
properties of a user, not a computer.
Think about this another way -- it is the user
that has rights to resources
on the network. Those resources may be
sensitive, so it really should not
matter what computer the user is at when changing
their password. That
particular users password should always be
complex....
