Domain Wide Password policies cannot be blocked by OU Policies. With
that in mind you should look at creating an OU and setting up a GPO with
Password Policies there rather than on the top level domain. Drop your
service accounts into the OU and they will take on the the applied GPO.
Because you have no other password policy set on the top level domain
name, your "other" users will be unaffected.
I believe that should do it. But then again. I haven't tested it or
ever implemented it to confirm. Check it out.
JMB
=| -----Original Message-----
=| From: Derick Anderson [mailto:danderson@vikus.com]
=| Sent: Wednesday, August 31, 2005 7:32 AM
=| To: focus-ms@securityfocus.com
=| Subject: Group Policy: multiple password policies in
=| the same domain?
=|
=| I'm trying to lock down some domain "service"
=| accounts (backup, Exchange, SQL Server, Scheduled
=| Tasks, etc.) where I work. We're an application
=| service provider (web-based) and we have only one
=| domain at the moment (sigh), shared by our production
=| servers (big sigh) on the same physical network (very
=| big sigh). Our web application must run as a domain
=| account (throws up hands in exasperation).
=|
=| Splitting the domain into production and
=| non-production is in the works but will realistically
=| be at least a couple months away. In the mean time
=| I'm trying to enforce stronger passwords for service
=| accounts like those I mentioned above but I'm having
=| problems using Group Policy to specify that service
=| accounts have a certain password policy while regular
=| users have another. I believe the problem is that
=| password policies are computer based instead of user
=| based, so I can't specify that specific users have
=| one set of password policies while others have a
=| different one.
=|
=| Would applying the policy to a specific set of
=| computers affect only the local accounts on those
=| computers, or the entire domain? My theory is that
=| only the password policy on the domain controllers
=| would affect domain passwords, but I'd love to hear
=| differently.
=|
=| Any help would be appreciated.
=|
=| Thanks,
=|
=| Derick Anderson
=|
=| ------------------------------------------------------
---------------------
=| ------------------------------------------------------
---------------------
=|
=|
---------------------------------------------------------------------------
---------------------------------------------------------------------------
