none
One way trust password policy (!)

    Question

  • Hello,


    I received a very good (to my opinion) question from a security team in my company. They would like to set up an one way trust between two domains.

    Domain A: to be trusted, but it has weak password policy (computer configuration)

    Domain B: the one who trusts Domain A, has stronger password policy.

    The users from Domain A will be authenticating on Domain B and RDP to its servers. Which GPO for the password applies to the Domain A Users that login to Domain B Computers? Domain A GPO or Domain B GPO?

    Thanks!

    Wednesday, April 5, 2017 11:47 AM

Answers

  • I think there is a bit of confusion here. Group policies have a Password Settings section but it is not used the same way depending on where the GPO is linked.

    So if the GPO applies to the domain controllers of a domain, the settings you defined apply to the user accounts of this domain (and this domain only). If the GPO apply of member servers or workstations, the settings apply to the local users (SAM) of these systems.

    So regardless of where a domain user connects, it always has the same policy, the one which applies to its domain controllers.

    It is also possible to apply a different password policy than the one which applies on domain controllers for domain users. This is called Fine Grained Password Policy. And despites the name (policy), it is not a GPO but a specific object that you will link to users or groups (so not to OUs like GPOs). So you can have a different password policy for regular users, service accounts and administrators within the same domain. Read more about it there: https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by VasileiosG Wednesday, April 5, 2017 12:28 PM
    Wednesday, April 5, 2017 12:21 PM

All replies

  • Hi,

    thank you for your reply! Is it possible for the password policy on Domain B to dictate if a user from Domain A is allowed to log in since the later is stricter?

    Wednesday, April 5, 2017 12:15 PM
  • I think there is a bit of confusion here. Group policies have a Password Settings section but it is not used the same way depending on where the GPO is linked.

    So if the GPO applies to the domain controllers of a domain, the settings you defined apply to the user accounts of this domain (and this domain only). If the GPO apply of member servers or workstations, the settings apply to the local users (SAM) of these systems.

    So regardless of where a domain user connects, it always has the same policy, the one which applies to its domain controllers.

    It is also possible to apply a different password policy than the one which applies on domain controllers for domain users. This is called Fine Grained Password Policy. And despites the name (policy), it is not a GPO but a specific object that you will link to users or groups (so not to OUs like GPOs). So you can have a different password policy for regular users, service accounts and administrators within the same domain. Read more about it there: https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by VasileiosG Wednesday, April 5, 2017 12:28 PM
    Wednesday, April 5, 2017 12:21 PM