none
Local Security - Password Policy Server 2012 Standard

    Question

  • Hi

    I have a 2012 server that is only accessible from within the building, it can not be accessed through the net via user log ins or remote desktop etc.

    I want to change the password policy, on it so that I don;t have to change the admin or user passwords every 42 days, and I also don;t want it to remember password history for 24 password changes.

    I am logged in to the server as Administrator
    I went in to local security settings and found the policy, double clicked on the items to change and the change options were greyed out.
    I thought maybe I need to run it as Administrator, so I ran the Local Security as Administrator, and still as i navigated to the options when double clicking on them they were greyed out.

    Where do I need to go to change these two settings? I want to set the days to change to 0 for no requirement to change and the password history

    Thanks

    Tris

    Saturday, January 19, 2013 4:32 PM

Answers

  • There is no Local policy on a domain controller, just as there is not non-domain administrator on a domain controller.  It's the heart of the security system, so it doesn't make sense to set up 'back doors' that could be more easily exploited.

    In Server Manager, select the Local Server.  Click Tools in the menu bar.  Select Group Policy Management.  Expand the tree until you see your domain.

    Right-click on the domain and select Create a new policy and link it here.  Give it whatever name you want.  Right-click on the newly created policy and select Edit.

    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.  Make whatever changes you want.


    .:|:.:|:. tim

    Tuesday, January 22, 2013 11:53 PM
  • On the same line, just edit the default domain controller policy to reflect the changes you want in

    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy


    Group Policy Managment
    Thursday, January 24, 2013 4:11 AM

All replies

  • Is this a domain joined server or is it in its own workgroup?

    .:|:.:|:. tim

    Saturday, January 19, 2013 8:26 PM
  • Sorry yes

    This is a Domain Server, it is the PDC, as there is only 1 server in the network

    Tris

    Saturday, January 19, 2013 8:56 PM
  • Hi,

    As far as I know, each domain could only have one password policy defined in default domain policy.

    If you want to set other kind of password settings to some users, we could use Fine-Grained Password:

    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

    In windows 2012, we could use ADAC to manage FGPP more efficiently,

    Fine-Grained Password Policy in Windows Server 2012

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Tuesday, January 22, 2013 6:17 AM
  • Hi sorry, I don;t think it is as anything as complicated as that, I don't think I have explained myself.

    Ok. I have 1 server 2012, that is it. There is absolutely nothing joined to the server. (no PC's etc)

    The server is a domain controller, and it is also a PDC

    The main purpose of the server is an internal file server

    There are 3 user accounts

    The Workgroup PC's connect to the server through the shared folders and enter their usernames and passwords upon connecting to the \\server (from their desktop workgroup PC)

    When I last remote desktop'd in as Administrator I was asked to change my password

    The current password policy (default) on Server 2012 is;
    Change Password ever 42 days
    Remember last 24 passwords used
    Must use upper/lower and numbers
    etc.

    I want to change this password policy on this 1 and only server (as there is nothing else in the domain, there is nothing to be affected by it)

    I ran from the Server Tasks, Local Security and I found the policy in there detailing the 42 days and 24 history. I double clicked on each one to bring up the properties, and the box to change the number was greyed out, so I couldn't change it.

    I want to change the password policy to;
    Change Password every 0 days (so it never forces a password change)
    Remember last 0 passwords

    I know this is not an ideal situation, but nothing outside of my network can access this, and there is a specific reason I want to make these changes to this server - (So please don;t tell me about the security risks of not enforcing password changes, I am aware of those.... if I know how to make the change in the first place I can then revise the policies at a later date - when the Desktop PC's are joined to the domain)

    So how do I change the Password Policy on Server 2012 - is it a different menu? is it under Group Policies? etc

    Thanks

    Tristan

    Tuesday, January 22, 2013 3:07 PM
  • Ooooh just as a final point, I don;t want different policies for different users. I just want one policy of

    Password change 0 days

    Password remember 0 history

    I want this for the Administrator and the only 3 users on this server (the only server in the network and the only computer on the domain)

    Thanks


    Tris

    Tuesday, January 22, 2013 3:09 PM
  • There is no Local policy on a domain controller, just as there is not non-domain administrator on a domain controller.  It's the heart of the security system, so it doesn't make sense to set up 'back doors' that could be more easily exploited.

    In Server Manager, select the Local Server.  Click Tools in the menu bar.  Select Group Policy Management.  Expand the tree until you see your domain.

    Right-click on the domain and select Create a new policy and link it here.  Give it whatever name you want.  Right-click on the newly created policy and select Edit.

    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.  Make whatever changes you want.


    .:|:.:|:. tim

    Tuesday, January 22, 2013 11:53 PM
  • On the same line, just edit the default domain controller policy to reflect the changes you want in

    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy


    Group Policy Managment
    Thursday, January 24, 2013 4:11 AM