Password policies in a domain

dabve3dabve3 Member Posts: 77 ■■□□□□□□□□
I am wondering if there is anyway to have more than one password policy in a domain. I have looked at Microsoft's website and it says that it must be linked to the domain to affect the domain accounts.


I would like to have two different minimum password lengths for the domain.
Any suggestions would be appreciated.

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Only way possible to have 2 different domain password policies is to create a different domain. Domain machines are forced to look at the default domain policy for password policy. If you put a password policy in an OU, it will use that password policy for local SAM user accounts.

    The password policy is not the only policy that is forced to be read from the default domain policy. All the Security Option settings are. Password Policy, Account Lockout Policy, as well as the Kerberos Policy only apply at the Default Domain Policy level.


    http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch03.mspx
    Account Policies

    Account policies, which include password policy, account lockout policy, and Kerberos policy security settings, are only relevant in the domain policy for all three environments that are defined in this guide. Password policy provides a way to set complexity and change schedules for high security environments. Account lockout policy allows tracking of unsuccessful password logon attempts to initiate account lockouts if necessary. Kerberos policies are used for domain user accounts, and determine settings that relate to the Kerberos authentication protocol, such as ticket lifetimes and enforcement.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    ICRoyal is correct. Here is a link that says what he said:

    http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch02n.mspx
    Account Policies
    There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.

    Note: For domain accounts, there can be only one Account policy per domain. The Account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the Account policy from the root of the domain, even if there is a different Account policy applied to the OU that contains the domain controller.

    I added the bold text for emphasis.

    EDIT - Hey, you added that link while I was typing icroyal! icon_lol.gif
    I have GOT to learn to type faster!
    All things are possible, only believe.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    To put it another way, domain are what NT and newer OSes use as a security boundary for accounts. Accounts with like security requirements are placed within the same domain.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • dabve3dabve3 Member Posts: 77 ■■□□□□□□□□
    Ok thanks guys I didn't think there was a way around it. Thanks for the info.
Sign In or Register to comment.