RE: [ActiveDir] Seperate Administrator password policy

[Crawford, Scott]

Ø      of plans to allow setting password policies at the OU level   What would be the direction they’d go to implement this?  Since the setting is in the computer section of the GPO, it seems to offer all the functionality one should expect.  And in fact, it is applicable at the OU level and it applies to computers [1].  It seems that the major reason people want to be able to set the policy at the OU level is so that it applies to users.  The issue is that it’s a computer setting, not a user setting.  IMHO, the only way to allow different password policies for different users, is to move the settings to the user section of the GPO.   [1] It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs.  I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules.  If that’s the case, I can’t say I’m a big fan of illogical hacks to help out less-cluefull admins. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 31, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy   Agree, a separate domain is certainly a very high price to pay – it’ll cause ongoing headaches with very little benefit.  Other companies add requirements for smartcard logons for Admins or also solve it via organizational rules as mentioned by ZV.    I’ve heard of plans to allow setting password policies at the OU level for Longhorn AD, which is due out mid next year. This could be wishful thinking (has been a request for quite some time), but I hope they make it.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, August 31, 2006 2:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy   Would it be easier just to ask them to use 15 characters?  Run a small script to check on the numbers of characters after the passwords have been changed. If under 15 than ask them to change it again. -Z.V. Almeida Pinto, Jorge de wrote: third party software could be an option for example: http://www.anixis.com/products/ppe/default.htm   jorge   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 14:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys.    We are going to implement a mandatory 15 character password policy for all of our administrator accounts.  The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain.  I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain.  Can anyone think of another method of doing this?     Thanks,   Nate Bahta   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.