none
Dedicated password policy process for domain admin accounts RRS feed

  • Question

  • Looking for a process to ensure that domain admin accounts have a tighter password policy than regular domain accounts in particular the frequency of change.  Need to ensure that passwords are changed within a set time.

    Unfortunately this is a 2003 domain so we can not make use of the 2008 fine grained password policies.

    Any robust suggestions ? 

    Thursday, April 19, 2012 5:42 AM

Answers

  • Hi,

    It's possible in windows 2008 server but not in Windows 2003 server.By default Windows 2003 can have only One Password Policy per Domain and  if you want your Users to get a different one then Upgrade to Windows 2008. You would need to create additional domains and then set a different password policy per domain. Password policies in w2k3 set at the OU level only effect local user acounts.

    Other wise you can try using third party apps like Secops.Unfortunately I don't know or have any experience of 3rd party apps for 2003.


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:34 AM
    Thursday, April 19, 2012 5:48 AM
  • You are correct . To use Fine Grained password policies your domain functional level should be windows server 2008 or higher. As you are still in windwo server 2003 domain it is not possible to use Fine Grained Password policy.

    By default there is no inbuilt tool to apply separate policy for perticular user account or Groups.

    So Option left for you is to change the Default domain policy where the password policy is defined or to use 3rd party tools to accomplish this (Specops Password Policy).

    http://www.specopssoft.com/documentation/specops-password-policy-documentation

    Refer below thread which discuss this in detail

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e3ec0602-3d87-424c-bf10-3498746ceeb8/

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights. Email-giteepag@yahoo.co.in

    • Proposed as answer by 朱鸿文 Thursday, April 19, 2012 6:59 AM
    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:34 AM
    Thursday, April 19, 2012 5:53 AM
  • Think there is a misunderstanding when I said low password change policy I was referring to the passwords being changed more frequently for example every 2 weeks rather than what is set for normal users which is considerably longer.

    Hello,

    there is still no way to change this without 3rd party tools.

    What you can do is to run a script with scheduled task, that will query AD for the specific user accounts and require them to reset the password. But this is different from the topic you have started with having additional policies.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:35 AM
    Thursday, April 19, 2012 12:31 PM
  • As menolf suggest you may use script for the same.However for better assistance related to scripting
    refer scripting forum.Below is the link for the same.

    http://social.technet.microsoft.com/Forums/en/winserverpowershell/threads

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Edited by Sandesh Dubey Thursday, April 19, 2012 1:48 PM
    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:35 AM
    Thursday, April 19, 2012 1:48 PM

All replies

  • Hi,

    It's possible in windows 2008 server but not in Windows 2003 server.By default Windows 2003 can have only One Password Policy per Domain and  if you want your Users to get a different one then Upgrade to Windows 2008. You would need to create additional domains and then set a different password policy per domain. Password policies in w2k3 set at the OU level only effect local user acounts.

    Other wise you can try using third party apps like Secops.Unfortunately I don't know or have any experience of 3rd party apps for 2003.


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:34 AM
    Thursday, April 19, 2012 5:48 AM
  • You are correct . To use Fine Grained password policies your domain functional level should be windows server 2008 or higher. As you are still in windwo server 2003 domain it is not possible to use Fine Grained Password policy.

    By default there is no inbuilt tool to apply separate policy for perticular user account or Groups.

    So Option left for you is to change the Default domain policy where the password policy is defined or to use 3rd party tools to accomplish this (Specops Password Policy).

    http://www.specopssoft.com/documentation/specops-password-policy-documentation

    Refer below thread which discuss this in detail

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e3ec0602-3d87-424c-bf10-3498746ceeb8/

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights. Email-giteepag@yahoo.co.in

    • Proposed as answer by 朱鸿文 Thursday, April 19, 2012 6:59 AM
    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:34 AM
    Thursday, April 19, 2012 5:53 AM
  • in your case with w2k3, the only solution is to buy third party software

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "ITForum2012" wrote in message news:0fc8e7f6-0fa6-4902-a993-54bed9c15439@communitybridge.codeplex.com...

    Looking for a process to ensure that domain admin accounts have a tighter password policy than regular domain accounts in particular the frequency of change.  Need to ensure that passwords are changed within a set time.

    Unfortunately this is a 2003 domain so we can not make use of the 2008 fine grained password policies.

    Any robust suggestions ? 


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Thursday, April 19, 2012 6:26 AM
    Moderator
  • Why not enforce password complexity to all because it will provide more security again password guessers n hackers to avoid dictionary attack. Also, with monitoring in place things can be more stable. I wouldn't invest money to 3rd party solution and will plan to upgrade my system to windows 2008 atleast becasue of the improvements and enhancements it has. Since windows 8 beta is already released, so i would plan to upgrade my infra then invest money on 3rd part software.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, April 19, 2012 7:19 AM
    Moderator
  • Hello,

    with domains having DFL Windows server 2008 and higher you can use Fine grained password policies as you already know, with lower OS version no builtin option from Microsoft exist. You may find some 3rd party tools for this.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, April 19, 2012 8:43 AM
  • We are looking for a very low password change policy for the domain admins which would not be practical for normal users.  Are there any custom scripts which anyone has already developed which could be run on regular basis to do the change ?  rather than investing in 3rd party tool.  This is a temporary solution until we migrate to 2008.
    Thursday, April 19, 2012 9:20 AM
  • I don't think it can be achieved w/o any 3rd party solution providers.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, April 19, 2012 9:32 AM
    Moderator
  • We are looking for a very low password change policy for the domain admins which would not be practical for normal users.  Are there any custom scripts which anyone has already developed which could be run on regular basis to do the change ?  rather than investing in 3rd party tool.  This is a temporary solution until we migrate to 2008.

    Hello,

    not without 3rd party tools.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, April 19, 2012 9:34 AM
  • It is not recommended to have low password policy for domain administrator.With Windows 2003 you cannot have different password policy,it is only possible with 2008 fine grained password policies.

    If you want the same you need to check the thirdp pary application/software for the same.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, April 19, 2012 9:58 AM
  • Think there is a misunderstanding when I said low password change policy I was referring to the passwords being changed more frequently for example every 2 weeks rather than what is set for normal users which is considerably longer.
    Thursday, April 19, 2012 12:23 PM
  • Think there is a misunderstanding when I said low password change policy I was referring to the passwords being changed more frequently for example every 2 weeks rather than what is set for normal users which is considerably longer.

    Hello,

    there is still no way to change this without 3rd party tools.

    What you can do is to run a script with scheduled task, that will query AD for the specific user accounts and require them to reset the password. But this is different from the topic you have started with having additional policies.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:35 AM
    Thursday, April 19, 2012 12:31 PM
  • Even for the above you cannot have different GPO.You can set the maximum password age to 30 days which will be applicable to both domain admin or normal users.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, April 19, 2012 12:31 PM
  • We are looking for a very low password change policy for the domain admins which would not be practical for normal users.  Are there any custom scripts which anyone has already developed which could be run on regular basis to do the change ?  rather than investing in 3rd party tool.  This is a temporary solution until we migrate to 2008.

    You can not acheive this using any of the script. Either You have to upgrade your Domain to windows server 2008 (To use Fine Grained Password Policy) or you need to use 3rd Party Software.

    You do not have an option other than these two.

    Hope this helps you.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights. Email-giteepag@yahoo.co.in

    Thursday, April 19, 2012 12:33 PM
  • Ok so ruling out different password policies and going the script option might be an approach we could use. 
    Thursday, April 19, 2012 12:34 PM
  • As menolf suggest you may use script for the same.However for better assistance related to scripting
    refer scripting forum.Below is the link for the same.

    http://social.technet.microsoft.com/Forums/en/winserverpowershell/threads

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Edited by Sandesh Dubey Thursday, April 19, 2012 1:48 PM
    • Marked as answer by 朱鸿文 Monday, April 23, 2012 2:35 AM
    Thursday, April 19, 2012 1:48 PM