Password policies in a domain

I am wondering if there is anyway to have more than one password policy in a domain. I have looked at Microsoft's website and it says that it must be linked to the domain to affect the domain accounts.

I would like to have two different minimum password lengths for the domain.
Any suggestions would be appreciated.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

royal

Only way possible to have 2 different domain password policies is to create a different domain. Domain machines are forced to look at the default domain policy for password policy. If you put a password policy in an OU, it will use that password policy for local SAM user accounts.

The password policy is not the only policy that is forced to be read from the default domain policy. All the Security Option settings are. Password Policy, Account Lockout Policy, as well as the Kerberos Policy only apply at the Default Domain Policy level.

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch03.mspx

Account Policies

Account policies, which include password policy, account lockout policy, and Kerberos policy security settings, are only relevant in the domain policy for all three environments that are defined in this guide. Password policy provides a way to set complexity and change schedules for high security environments. Account lockout policy allows tracking of unsuccessful password logon attempts to initiate account lockouts if necessary. Kerberos policies are used for domain user accounts, and determine settings that relate to the Kerberos authentication protocol, such as ticket lifetimes and enforcement.

sprkymrk

ICRoyal is correct. Here is a link that says what he said:

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch02n.mspx

Account Policies
There are three different types of Account policies: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Microsoft Windows Server™ 2003 domain may have one of each of these policies. If these policies are set at any other level in Active Directory, only local accounts on member servers will be affected.

Note: For domain accounts, there can be only one Account policy per domain. The Account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the Account policy from the root of the domain, even if there is a different Account policy applied to the OU that contains the domain controller.

I added the bold text for emphasis.

EDIT - Hey, you added that link while I was typing icroyal!

I have GOT to learn to type faster!

blargoe

To put it another way, domain are what NT and newer OSes use as a security boundary for accounts. Accounts with like security requirements are placed within the same domain.

dabve3

Ok thanks guys I didn't think there was a way around it. Thanks for the info.