PDA

View Full Version : Stumper: Password policy on W2k3 Domain


Q
08-29-07, 03:30 PM
Is there a way to set password policy in on a W2k3 domain so that you can have a different policy for your different OU's? Right now, with the new state security restrictions, we have to set a password policy globally that requires complex passwords, 90 day expirations, and a 15min screen lock. For computer labs and Smart Classrooms, this is obviously a problem. We've searched high and low for a solution, but there seems to be no way to set the policy per OU. We could have a subdomain for the labs and class rooms, but we need them to be able to access the resources of the main domain. Ideally, we need the 15 min lockout and complexity requirements on most OU's with a much less restrictive policy on the labs and classrooms.

Pre July 1st, we had a generic login for the labs with an easy password. We're working around this problem at this time. The classroom machines are joined to the domain, but also have a local login (which now needs to meet the global policy, as well) for them. We need to have domain access occasionally on these machines (it takes forever to build the profiles), but mainly we need a quick username and password for quick login to the machines... The OU specific policy could really help us out.

Any ideas? Evilghost/evilchris... I'm looking at you two. :D


Edit: Is this more of a Windows problem or Networking? I forgot we had that nifty forum. ;)

Q
08-29-07, 09:03 PM
I've been doing some research, and it looks like its just a lame limit of W2k3. There are some programs, such as this here...

https://www.anixis.com/store/buy.asp?product=PPE&upgrade=0&users=1100&Next.x=40&Next.y=14

But its $2,000 for 1000 users. I don't think we have the budget for that. Some people claim to have limited success by writing their own password filters, but I need a 100% solution. I guess we may just have to wait until Server 08 gets released and stable...

evilghost
08-29-07, 09:27 PM
I wish I could help, I was going to say a per-OU GPO but it looks like it isn't possible. Unless you create your own change-password wrapper with proper sanitization it looks like your stuck waiting for MS Bloatware 2008, featureless edition.

Q
08-29-07, 09:45 PM
I wish I could help, I was going to say a per-OU GPO but it looks like it isn't possible. Unless you create your own change-password wrapper with proper sanitization it looks like your stuck waiting for MS Bloatware 2008, featureless edition.

You know what.... they'll probably advertise this as a HUGE feature. Something that you should have been able to do in W2k server, but had to wait 10 GD years, 2 versions, and several thousand dollars for.

And where is King Microsoft, radekhulan? He is supposed to help me with this superior product! ;)

DiscipleDOC
08-30-07, 10:19 AM
Why not define different policies for different ou's?

Q
08-30-07, 11:06 AM
Why not define different policies for different ou's?

W2k3 won't let you assign password policy by OU... at least not easily.

evilchris
08-30-07, 12:27 PM
it's Domain level, sorry. Make 40 domains instead, lol

Q
08-30-07, 02:13 PM
it's Domain level, sorry. Make 40 domains instead, lol

Yeah, that's what I thought. We might make another two subdomains, then just have a script that maps the main domain resources. Of course, mapping domain resources via scripting is hit or miss at times.