Separate Password Policys Windows 2003 Domain?

cjthedj45

Hello All,

I was hoping for some help regarding an issue I'm facing to add an additional password policy in Windows 2003. It would appear that this is not possible to do on a Windows 2003 domain. There are a two accounts that have access to log on to the server and domain admins can log on as well. We need to enforce a much stricter password policy on just a few servers that will be applied to the users (Administrators) logging on. I have done some reading and it seems Windows 2008 supports this but not Windows 2003. I was wondering if anyone knew of a tool or a workaround where we could enforce a separate password policy. Unfortunately 2 factor authentication is not an option. I wish it was as it would fix the issue. Any help is much appreciated.

Asif Dasl

I think it's impossible with Server 2003, like you say Server 2008 has the fined-grained password policy which would allow it. Server 2003 is at the end of extended support on 14th July 2015 maybe that's when you will upgrade the domain.

cjthedj45

Asif Dasl wrote: »

I think it's impossible with Server 2003, like you say Server 2008 has the fined-grained password policy which would allow it. Server 2003 is at the end of extended support on 14th July 2015 maybe that's when you will upgrade the domain.

Thanks Asif. Yes it looks like its not possible so an upgrade might be our only option. I would be interested to hear from anyone else who has faced this and has any other suggestions. Perhaps there is a tool that sits on top of AD that can enforce this somehow?

DevilWAH

Asif Dasl wrote: »

I think it's impossible with Server 2003, like you say Server 2008 has the fined-grained password policy which would allow it. Server 2003 is at the end of extended support on 14th July 2015 maybe that's when you will upgrade the domain.

Even 2008 does not have a simple way to manage this, its possible to have multiply password policy's but its not as simple as just creating multiply GP's. The basic reason is that the password policy is a computer policy, not a user policy so it apply to all accounts created on the DC's.

you have to create a password policy and then apply it as a property to a user or a group in AD.

Windows Server 2008 - Fine Grained Password Policy Walkthrough - The Sean Blog - Site Home - TechNet Blogs

And I only know this because this morning I got in and needed to create a user with a basic non complex password that AD would accept under the default policy, and I had to figure out how to set it up, which i did about 30 minutes ago.

cjthedj45

DevilWAH wrote: »

Even 2008 does not have a simple way to manage this, its possible to have multiply password policy's but its not as simple as just creating multiply GP's. The basic reason is that the password policy is a computer policy, not a user policy so it apply to all accounts created on the DC's.

you have to create a password policy and then apply it as a property to a user or a group in AD.

Windows Server 2008 - Fine Grained Password Policy Walkthrough - The Sean Blog - Site Home - TechNet Blogs

And I only know this because this morning I got in and needed to create a user with a basic non complex password that AD would accept under the default policy, and I had to figure out how to set it up, which i did about 30 minutes ago.

Ah! thanks Devilwah. Does this mean then that there are no real options for creating a separate password policy in a Windows 2003 domain? No one knows of any software that could perhaps do this? I suppose we could upgrade the Domain Controllers but this would be a bit of a project I guess. If anyone knows of any other solutions then please let me know. Devilwah looks like I asked the question at the right time if you only did it 30 minutes ag. Thanks again

DevilWAH

From every thing I have read this morning you require 2008 and later to do it. I also found even once set up you have to create the user with a complex password that meets the default domain policy, then apply your new password policy and then change the password to what you want.

So OK for me where I just need a simple password for an account for phones to use for authentication, but would be a bit of a nightmare to manage multiply policies and users.

cjthedj45

DevilWAH wrote: »

From every thing I have read this morning you require 2008 and later to do it. I also found even once set up you have to create the user with a complex password that meets the default domain policy, then apply your new password policy and then change the password to what you want.

So OK for me where I just need a simple password for an account for phones to use for authentication, but would be a bit of a nightmare to manage multiply policies and users.

Cheers Devilwah. Its just for about 10 servers that need enhanced security and about 10 or 11 users. I cant find any other solution so could a 2008 upgrade or network re-design the latter will be tough with the deadlines we have. Thanks again

RomBUS

The only way in a 2003 environment is to create a separate domain for each password policy you would like to implement. In your case, only moving those 10-11 people into the new domain and creating a stricter password policy there. This is also a wild idea but it would work.

cjthedj45

RomBUS wrote: »

The only way in a 2003 environment is to create a separate domain for each password policy you would like to implement. In your case, only moving those 10-11 people into the new domain and creating a stricter password policy there. This is also a wild idea but it would work.

Thanks Rombus this is turning out to be a right brain ache. I'm going to have to scrap the password complexity and tried and find a vendor that support two factor for Windows 2000!!!

netsysllc

No matter what you you turn you are going to hit walls trying to support such old products. Creating a second domain is going to be your best bet if you want more security.