2003 AD networks security question

Dear Colleagues:

With Windows NT networks (and I believe 2000 as well), I was unable to set
up a stronger password policy for certain groups.

My desired result is to put a stronger password policy on one group, but a
weaker one on another. Specifically, password complexity rules.

Is this possible with Windows 2003 active directory enabled networks and
those that have 2000 servers in the mix?

Thanks,

CC

Miha
Wed Apr 27 02:45:11 CDT 2005

Hi,

Unfortunately there can only be one account (password) policy in domain. If
you need stronger passwords for one group of users, you would have to move
these users to e.g. child domain and assign stronger password requirements
on this child domain.

If you really think about it, it wouldn't make much sense to have very
secure password and not so secure passwords in same domain. It would be like
house that has half of the windows with bulletproof glass installed and
other half of the windows with ordinary glass. Those bulletproof windows
wouldn't contribute much to security of the house...

--
Mike
Microsoft MVP - Windows Security

"Curious George's Twin" <shaggy@whoamitoday.net> wrote in message
news:Z4Gbe.1306$Hf6.568@fe11.lga...
> Dear Colleagues:
>
> With Windows NT networks (and I believe 2000 as well), I was unable to set
> up a stronger password policy for certain groups.
>
> My desired result is to put a stronger password policy on one group, but a
> weaker one on another. Specifically, password complexity rules.
>
> Is this possible with Windows 2003 active directory enabled networks and
> those that have 2000 servers in the mix?
>
> Thanks,
>
> CC
>

Roger
Wed Apr 27 02:59:36 CDT 2005

Or, as posted in response to other thread, use smart cards for some,
or get and use a custom password filter dll.

In the future you might want to consider cross-posting when it is
appropriate (by sending one post to multiple newsgroups) rather
than multi-posting (separate posts to each newsgroup).
Use of cross-posting keeps all responses in a single thread.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Curious George's Twin" <shaggy@whoamitoday.net> wrote in message
news:Z4Gbe.1306$Hf6.568@fe11.lga...
> Dear Colleagues:
>
> With Windows NT networks (and I believe 2000 as well), I was unable to set
> up a stronger password policy for certain groups.
>
> My desired result is to put a stronger password policy on one group, but a
> weaker one on another. Specifically, password complexity rules.
>
> Is this possible with Windows 2003 active directory enabled networks and
> those that have 2000 servers in the mix?
>
> Thanks,
>
> CC
>
>

Curious
Wed Apr 27 05:01:15 CDT 2005

Dear Roger and Mike:

Actually its for a school. The tiny kids can't remember passwords that are
too complex and the teachers need to have strong password policies and
changes because they are bonheads.

In terms of the cross posting, when I do so I always get somebody who
admonishes me for having done so. . . oh you can't win with some people!

CC

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:ek7BD6vSFHA.2324@TK2MSFTNGP10.phx.gbl...
> Or, as posted in response to other thread, use smart cards for some,
> or get and use a custom password filter dll.
>
> In the future you might want to consider cross-posting when it is
> appropriate (by sending one post to multiple newsgroups) rather
> than multi-posting (separate posts to each newsgroup).
> Use of cross-posting keeps all responses in a single thread.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Curious George's Twin" <shaggy@whoamitoday.net> wrote in message
> news:Z4Gbe.1306$Hf6.568@fe11.lga...
>> Dear Colleagues:
>>
>> With Windows NT networks (and I believe 2000 as well), I was unable to
>> set
>> up a stronger password policy for certain groups.
>>
>> My desired result is to put a stronger password policy on one group, but
>> a
>> weaker one on another. Specifically, password complexity rules.
>>
>> Is this possible with Windows 2003 active directory enabled networks and
>> those that have 2000 servers in the mix?
>>
>> Thanks,
>>
>> CC
>>
>>
>
>

Torgeir
Wed Apr 27 07:51:38 CDT 2005

Curious George's Twin wrote:

> (snip)
> In terms of the cross posting, when I do so I always get somebody who
> admonishes me for having done so. . . oh you can't win with some people!
>
Hi,

Yeah, but it is much better to crosspost than to multipost:

What is the accepted way to share a message across multiple newsgroups?
http://smjg.port5.com/faqs/usenet/xpost.html

and

Multiposting vs Crossposting
http://www.blakjak.demon.co.uk/mul_crss.htm

and

Please don't multi-post.
http://www.aspfaq.com/etiquette.asp?id=5003



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Roger
Wed Apr 27 09:31:14 CDT 2005

"Curious George's Twin" <shaggy@whoamitoday.net> wrote in message
news:kkJbe.18178$RP1.10649@fe10.lga...
> Dear Roger and Mike:
>
> Actually its for a school. The tiny kids can't remember passwords that
are
> too complex and the teachers need to have strong password policies and
> changes because they are bonheads.
>
> In terms of the cross posting, when I do so I always get somebody who
> admonishes me for having done so. . . oh you can't win with some people!
>


Yeah, quite the world we have ;-)
X-post is just fine when there are multiple, reasonable targets.
As I see it, with some peoples sense of etiquette to the wind,
an x-post never hurts any more than an off-topic post does.
Multi-post however just suck. They fragment the responses
and incur bandwidth consumption, which in some parts of the
world is paid for by the byte transmitted.

--
Roger

Steve
Thu Apr 28 17:59:18 CDT 2005

I've seen schools use separate domains for teachers and students for this
very reason.

I've also seen the application of IPsec policy made because of that decision
as well.

I wouldn't be afraid to do the 2 domain thing, unless you have limiting
factors that exclude that as an option. If you must run one domain, then
you will compromise because you have to account for the "lowest common
denominator" in terms of password complexity. This of course, reduces your
security posture but keeps user sat high. :)




"Curious George's Twin" <shaggy@whoamitoday.net> wrote in message
news:kkJbe.18178$RP1.10649@fe10.lga...
> Dear Roger and Mike:
>
> Actually its for a school. The tiny kids can't remember passwords that
> are too complex and the teachers need to have strong password policies and
> changes because they are bonheads.
>
> In terms of the cross posting, when I do so I always get somebody who
> admonishes me for having done so. . . oh you can't win with some people!
>
> CC
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:ek7BD6vSFHA.2324@TK2MSFTNGP10.phx.gbl...
>> Or, as posted in response to other thread, use smart cards for some,
>> or get and use a custom password filter dll.
>>
>> In the future you might want to consider cross-posting when it is
>> appropriate (by sending one post to multiple newsgroups) rather
>> than multi-posting (separate posts to each newsgroup).
>> Use of cross-posting keeps all responses in a single thread.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Curious George's Twin" <shaggy@whoamitoday.net> wrote in message
>> news:Z4Gbe.1306$Hf6.568@fe11.lga...
>>> Dear Colleagues:
>>>
>>> With Windows NT networks (and I believe 2000 as well), I was unable to
>>> set
>>> up a stronger password policy for certain groups.
>>>
>>> My desired result is to put a stronger password policy on one group, but
>>> a
>>> weaker one on another. Specifically, password complexity rules.
>>>
>>> Is this possible with Windows 2003 active directory enabled networks and
>>> those that have 2000 servers in the mix?
>>>
>>> Thanks,
>>>
>>> CC
>>>
>>>
>>
>>
>
>