-----Original Message-----
From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
Sent: Wednesday, August 31, 2005 10:26 AM
To: Derick Anderson; focus-ms@securityfocus.com
Subject: RE: Group Policy: multiple password policies in the
same domain?
Domain Wide Password policies cannot be blocked by OU
Policies. With that in mind you should look at creating an
OU and setting up a GPO with Password Policies there rather
than on the top level domain. Drop your service accounts
into the OU and they will take on the the applied GPO.
Because you have no other password policy set on the top
level domain name, your "other" users will be unaffected.
I believe that should do it. But then again. I haven't
tested it or ever implemented it to confirm. Check it out.
JMB
I've tried this and the end result is that the policy is undefined.
Someone else mentioned that it would only affect local accounts (local
security policy overridden by Group Policy). Since domain controllers
have no local accounts, it would make sense (unfortunately for me) that
whatever password policy the domain controllers were given would
determine the domain password policy. The service accounts I want to
harden are domain accounts, not local ones. I can't use local accounts
because some of them must transfer data from one machine to the other.
I've tried using Group Policy modeling with security filtering (i.e.,
apply only to 'service accounts' group), and that is not applied. If I
add 'Domain Computers' to that list then it applies but conflicts with
the domain password policy and nothing is set. I don't understand how
applying it to specific servers will affect domain user accounts but
that is one thing I have yet to try.
Also thanks to those people who've mailed me off-list for your replies.
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
