Setting up GP Passwords.

Printable View

13th November 2012, 02:06 PM
edutech4schools

Setting up GP Passwords.

(2008r2 server)

Hi, One of my small primary schools has no password system in place so the staff log on to a machine with very week passwords. I have been over potential issues and they do not want this changed.

Recently they have asked me to set up web based vpn. I have managed to get them to agree that if someone wants vpn access they will have to have a more secure password.

So what I would like to do is have an OU with strict password policy so I can pop a user in this OU and they will be asked to change their password. I have done some reading and not 100% sure if this is possible without effecting other users on the network.

Can someone advice me please
13th November 2012, 04:37 PM
dana_lehman

If you are on a 2008 or above domain functional level this is possible.
AD DS: Fine-Grained Password Policies

search for fine grain password policy.

I set this up to allow the younger students to have weak passwords and keep staff on strong passwords.

I don't recall all the details but here is the gist.

use ADSI edit to create the policy in the domain
edit the properties to meed your needs (length complexity etc)
assign the applies to property to the group you want it to apply too.

I recommend creating a security group call passwordpolicy xyz and then you don't have to change the policy every time someone needs added, just put them in that group.

Hope that helps.
28th November 2012, 09:59 AM
edutech4schools

Thanks for the info. I have just set up a test password police which does work but displays incorrect info in the message box, for example I set min password length to 8 but in the password reset box that is displayed to the user it says the password must be more than 0 in length.

any idea?
28th November 2012, 12:21 PM
edutech4schools

After a bit more testing it appears that the password reset box info shown to a user is the default domain password info and not the fine grained password info applied to the user, although the user still has to enter the fine grained password requirements in order to reset the password. So the fine grained password is being applied to the user.

How do I get the correct reset requirements info to be displayed?