Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Set up user group with different password rules

Answered Set up user group with different password rules

  • Saturday, March 23, 2013 12:52 AM
     
     
    Sign In to Vote
    0
    I work for a school district using windows 2008 server. I am not the network manager, just a teacher of kindergarten and 1st grade students. I have been unsuccessful in having our network people create a separate user group on our network with much simpler password rules just for my little students. I have these questions: How difficult is it to create a separate user group as I've described? Can we make very simple password requirements, for example 2-character user names and 3 character passwords? No upper case or symbols. Is there a minimum number of characters? Can you point me to directions or support materials I can show our network people, as they seem to need assistance with this. Thank you.
     

All Replies

  • Saturday, March 23, 2013 1:36 AM
    Moderator
     
     Answered
    Sign In to Vote
    1
    I work for a school district using windows 2008 server. I am not the network manager, just a teacher of kindergarten and 1st grade students. I have been unsuccessful in having our network people create a separate user group on our network with much simpler password rules just for my little students. I have these questions: How difficult is it to create a separate user group as I've described? Can we make very simple password requirements, for example 2-character user names and 3 character passwords? No upper case or symbols. Is there a minimum number of characters? Can you point me to directions or support materials I can show our network people, as they seem to need assistance with this. Thank you.

    Fine-Grained Password Policies is the solution.

    Please refer links mentioned below

    http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

    Granular Password Policies Video

    To use Fine-Grained Password Policies, you should have Domain Controllers running on WS 2008, WS 2008 R2 or WS 2012. If DCs are still on WS 2003, they need to be upgraded at least to WS 2008.

    Fine-Grained Password Policy requirements

    HTH

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

     
  • Saturday, March 23, 2013 4:26 AM
     
     
    Sign In to Vote
    0

    Hello,

    Your IT department may be playing dumb because they may be disinclined to setting up 2 character user names with 3 character passwords; From a security standpoint, it's a really bad idea. If the fecal matter collides with the thermantidote because of it, the IT dept. will ultimately bear the blame.

    Miguel Fra | Falcon IT Services, Miami, FL
    Web Site | Blog

     
  • Saturday, March 23, 2013 5:35 AM
     
     
    Sign In to Vote
    0
    But these are 5 and 6 year old children who do not pose a security threat. They do not email or download anything. They are thoroughly supervised at all times. They need the network purely to save files and for me to be able to access them easily to print and share documents with everyone in the class. But just to confirm, it IS possible to do what I'm asking, yes?

    • Edited by janeinpa Saturday, March 23, 2013 8:50 PM
    •  
     
  • Saturday, March 23, 2013 5:37 AM
     
     
    Sign In to Vote
    0
    Thank you so much. Is the process difficult? It would involve about 20 accounts.
     
  • Saturday, March 23, 2013 6:33 AM
     
     Answered
    Sign In to Vote
    2

    Hi Jane, yes, it's completely possible, from a technical perspective. It will likely challenge a few IT people, and perhaps some policy-makers, and there may be some other configurations/restrictions to discuss (to minimise the attack surface of computers configured in this way).

    The education sector often has some interesting challenges (when compared to corporate/enterprise/business/home scenarios) - some institutions use kiosk-style setups, which provide less-complex user setups, but are more "disposable" (e.g. they might refresh/reimage the computer on a daily basis, or even in between each user-session).

    there are also education-focused IT support communities (like edugeek.net) which have like-minded education-environment IT people collaborating and assisting each other, which may be useful for you (or your IT area) to consider.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

     
  • Saturday, March 23, 2013 7:39 AM
    Moderator
     
     
    Sign In to Vote
    1

    Hi Jane, yes, it's completely possible, from a technical perspective. It will likely challenge a few IT people, and perhaps some policy-makers, and there may be some other configurations/restrictions to discuss (to minimise the attack surface of computers configured in this way).

    The education sector often has some interesting challenges (when compared to corporate/enterprise/business/home scenarios) - some institutions use kiosk-style setups, which provide less-complex user setups, but are more "disposable" (e.g. they might refresh/reimage the computer on a daily basis, or even in between each user-session).

    there are also education-focused IT support communities (like edugeek.net) which have like-minded education-environment IT people collaborating and assisting each other, which may be useful for you (or your IT area) to consider.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    I am in agreement with this.

    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

     
  • Saturday, March 23, 2013 3:05 PM
     
     Answered
    Sign In to Vote
    1

    I used to support private elementary schools. Before Windows Server 2008 we had to have one password and account lockout policy for the entire domain. To accomodate pre-school and kindergarten kids taking keyboarding classes, we had very simple policies that applied to everyone. As I recall, our min password length was 5, no complexity, no password history, no lockout (or class would be interrupted by pranksters). Passwords did not expire for younger grades (or was it all grades). The username was the student's name (we expected them to be able to key in their name), and the password may have been the same. Minimum password length can be as low as 1, but I would suggest at least 4 or 5. Usernames can be as few as 1 character, but again I would suggest at least 4 or 5 (and they should be unique). Of course this is terrible for security. We also had to re-image all computers every year or semester because of the things the students would try to get away with.

    With fine-grained password policies, which can be applied to groups, things are much improved. Just make sure no one has admin privileges anywhere, except a few adult admins.

    We had one group for each grade, but we named the group after the year of graduation, so there was no need to reconfigure all groups during the summer. A student remained in Class2015 until they graduated, unless they failed to advance. I think we changed the description of the group each year to match the grade.

    Richard Mueller - MVP Directory Services

     
  • Saturday, March 23, 2013 8:48 PM
     
     
    Sign In to Vote
    0
    Thank you so much, everyone. We do have unique challenges as compared to the business world. The simple passwords I need would apply only to about 360 kids in our school district. Many of them are just learning their letters or still get mixed up between B's and D's, etc. Just so I understand the security implications, what might go wrong? They will not do email or download anything. They only go to websites I specifically direct them to. They do not have unsupervised time to do anything else. And they're 5 and 6 years old. We do not have any older children in our building who could access the computers. The children log in and out for each class period.
     
  • Sunday, March 24, 2013 10:48 AM
     
     
    Sign In to Vote
    2

    Hello janeinpa,

    yes you can do this, but a bit ground work is needed for to achieve it successfully.

    Windows Server 2008 has included a feature called fine-grained password policies, which allows you to assign separate password policies. However, it's not done by group policy. The fine-grained password policies are configured using ADSIEdit.

    In Windows Server 2008, you can use this fine-grained password policies to  apply different password restrictions and account lockout policies to different sets of users within a single domain.

    here is the step by step guide which make you to create a custom Password policy for your need.

    http://pdawacko77.wordpress.com/2011/01/07/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008/

    based on your requirement, Please step the appropriate Password Age and Password Length etc etc.

    Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

    Regards, Prakash Nimmala Skype : Prakash.Nimmala Email ID : prakash.nimmala@hotmail.com