password complexity help

[timbo343]

We are trying to enforce password complexity into our domain but dont want to enforce it for pupils. Looking and testing the settings on the servers, it looks like it can only be done at domain level not OU level. Is there a way we can configure this per OU? It can be done via password filtering but it means eidting the registry on each DC and i dont particually want do that. is there an easier way?

Thanks in advance

Tim

[Gatt]

Unfortunately - No

Password Policies are set at the domain level and only take effect in the Default Domain Policy.

Only solution would be seperate domains for pupils and staff..

[ajbritton]

Quote:

Originally Posted by Gatt

Unfortunately - No

Password Policies are set at the domain level and only take effect in the Default Domain Policy.

Only solution would be seperate domains for pupils and staff..

Be careful how loud you say that... hang on... what's that noise ... oh no! ... here they come... IT'S THE YOU MUST USE A SINGLE DOMAIN gang..... :P

[Norphy]

My last place used multiple domains for precisely this reason. And about a month after I set that up, I found about this.

I swore.

[ajbritton]

Did you find out how much it costs?

[Norphy]

No but I suspect it's not cheap.

[ajbritton]

That would be my guess as well. Unless of course they do academic pricing.

[plexer]

Well I'll found out when they get back to me.

Ben

[Gatt]

Shame, cos their GPUpdate tools were great - espcially with them being free and all..

[Kyle]

Easy Solution here.

Set the Policy,
Got to a OU with Pupils
Select all of them, then right click properties,
choose password never expires.

This will stop the pupils passwords ever expiring. Do this for all pupils/users you don't want passwords expiring for.

I have used this successfully before.

You can still go in a change the password for them or use a script to force users from a certain OU choose a different password at next log on.

[FN-GM]

Quote:

Originally Posted by Kyle

Easy Solution here.

Set the Policy,
Got to a OU with Pupils
Select all of them, then right click properties,
choose password never expires.

This will stop the pupils passwords ever expiring. Do this for all pupils/users you don't want passwords expiring for.

I have used this successfully before.

You can still go in a change the password for them or use a script to force users from a certain OU choose a different password at next log on.

He doesn't want the users passwords not to expire he wants to set a policy on certain users on how complex there passwords are

[ajbritton]

Quote:

Originally Posted by Kyle

Easy Solution here.

Set the Policy,
Got to a OU with Pupils
Select all of them, then right click properties,
choose password never expires.

This will stop the pupils passwords ever expiring. Do this for all pupils/users you don't want passwords expiring for.

I have used this successfully before.

You can still go in a change the password for them or use a script to force users from a certain OU choose a different password at next log on.

This will work if you change the passwords manually via DSA.MSC, but if you configure the 'force password change' attribute, then the password policy will be applied.

[plexer]

For 850 users in 1 AD domain the price is:

£1461.25

2nd and 3rd maintenance combined is £500

Ben

[PiqueABoo]

Quote:

the price is:

OUCH!

I did a password filter a long time ago (as usual) which tested them against a memory mapped dictionary file and definitely wasn't hard.

Multiple password policies is more complex because you need to need get hold of an OU or group membership from an account name in order to pick and test their proposed password against the right policy. That means talking to AD and in this context I'm currently not sure which of several userland approaches to that might work or be be safe, but it can't be that hard!

Anyway at that price I'd probably hold fire on a solution now and start considering whether it might be an idea to just upgrade DCs to Server 2008 next summer.

Well not me personally, I'm actually wondering whether to have a quick look at this and knock one out at a bargain basement price.

[mrcrazy04]

If you got an open source GINA dll, then you could integrate it into that to do the lookups and apply the relevant policy - and then it isn't running in userland.