Domain-wide password, account lockout and kerberos policies can only be
set at the domain level. Password policies linked at the OU level are
applied to the users configured on the local machine and are ignored
when the users logs in with a domain account.
-John
-----Original Message-----
From: Mike [mailto:mike_sha@shaw.ca]
Sent: Monday, February 07, 2005 12:29 PM
To: William Stegman; focus-ms@securityfocus.com
Subject: RE: active directory password policy
Could you put them in a different OU with it's own GP that has looser
policies on password security?
Mike Fetherston
-----Original Message-----
From: William Stegman [mailto:stegmanw@comcast.net]
Sent: Friday, February 04, 2005 5:10 PM
To: focus-ms@securityfocus.com
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password
expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid
the
inevitable calls regarding password resets?
thx
/William Stegman - Network Administrator///
TransCore - Hummelstownd
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
