LinkBack URL
About LinkBacksHello All
Is it possible to use two password policies one domain eg staff with complex passwords and students with no passwords?
Many thanks for your help and advice.
Alex
Hello All
Is it possible to use two password policies one domain eg staff with complex passwords and students with no passwords?
Many thanks for your help and advice.
Alex
we start our year 7 pupils off with the same password, 1 to 5, and then force them to change it at first logon. I worked in a place where staff were given the chance to change pupils passwords, and one teacher changed them all to "dog", which is the same as having no password at all. As you can imagine, folders started to disappear from pupil areas, work was copied and presented as their own work etc. but then again, I work in a secondary school.
beeswax
Thanks Beeswax
I should have mentioned that I am talking about a Primary school here. Sorry for the confusion.
Alex
No. To have different password policies for different users you need to put them in seperate domains. This is what we have done.Originally Posted by ictex
Hello All
Is it possible to use two password policies one domain eg staff with complex passwords and students with no passwords?
Many thanks for your help and advice.
Alex
Cant you setup 2 different group policies with 2 different password policies(on the same domain that is)?No. To have different password policies for different users you need to put them in seperate domains. This is what we have done.
No Norphy is correct the password policy is for the whole domain only.
I'd say that you could set different account policies in a GPO attached to an OU. The only policy that has to come from the default domain policy is the Kerberos Policy.
No. Account policies are per domain. See MS article here. Believe me, if they weren't I wouldn't have gone to the trouble of setting up such an elaborate system.
You could be right there - although the wording from MS does not make it clear.
I'm wondering now what else is Default Domain Policy Only?
Seems fairly unambiguous to me. I'm pretty sure that its just account policies that are set per domain. Everything else can be set on the OU level
Ah yes.. duh oh yes now i remember.. Password Policies are set at domain level. Looks like me grey matter is starting to go :?
For 2000 - clear as day but 2003 manual not so clear :P But 'Inside AD 2nd edition by Sakari Kouti - Mika Seitsonen' puts it in plain english
Many thanks to all for your help :-)
Policies are per domain if you stick to the pure microsoft aproach. You can however install a custom GINA which will intercept password changes and allow you to apply your own policy based on whatever criteria you see fit.
It is mildly frightening, but there are even open source projects. Google for custom gina and check out sourceforge for the open source stuff. It is also used as a method of synchronising password changes with non MS systems by notifying them of password events.
One of the big projects is called pGINA which seems stable and reputable, but beware, there are trojan GINAs out there which will just capture passwords (fun to play with though)
Some idle googling trying to find the site I remembered revealed this site
http://www.rohos.com/welcome-screen/usbflash.htm
Which seems a very interesting idea - I shall probably play with it later but it might be worth you taking a look - if the user does not have to remember a password it can be as complex as you want with no worries
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote